I have used it in some cases. I need to check how I have configured it when back on my laptop.

Thanks @isoutamo.
Much appreciated.
God bless.

This works on my laptop (macOS + Splunk 9.2.1)

See details from here https://marketplace.visualstudio.com/items?itemName=Splunk.splunk

I have set next values on settings.json

• Splunk Rest Url -- https://localhost:8089
• Token auth has enabled and I have generate own token for this

Then just create file e.g. Splunk-SPL-test.splnb

index=_internal | stats count by component

Run it and you see events and can select also visualisation etc. 

Thanks @isoutamo 

I  made your suggested changes, including created a new token. Unforutnately, it didn't work. 

WARN: call not properly authenticated

There is zeero usable info on the Internet about this error. Plus, when I run a Wireshark capture the token and other info indicates the authentication is not leaving my PC. The issue appears to be within VSCode and the Splunk Extension.

Thanks and God bless. 
Genesius

 

 

 

I have the latest(?) Splunk VSCode extension on my splunk instance. That instance is on my laptop too. If you are trying to use remote instance you must use correct node name and port on settings.json instead of localhost.

I'm not sure if I have run this against another splunk instances or only towards my on dev/test at the same node than running viscode.

@isoutamo

This is my settings.json. 

 

{
    "liveServer.settings.AdvanceCustomBrowserCmdLine":"chrome",
    "editor.fontSize": 24,
    "workbench.editor.enablePreview": false,
    "splunk.commands.splunkRestUrl": "https://<SERVER_NAME>:8089",
    "splunk.commands.token": "<TOKEN>",
    "splunk.reports.SplunkSearchHead": "https://<SERVER_NAME>:8080",
    "notebook.lineNumbers": "on",
    "terminal.integrated.profiles.windows": {
        "PowerShell": {
            "source": "PowerShell",
            "icon": "terminal-powershell"
        },
        "Command Prompt": {
            "path": [
                "${env:windir}\\Sysnative\\cmd.exe",
                "${env:windir}\\System32\\cmd.exe"
            ],
            "args": [],
            "icon": "terminal-cmd"
        },
        "Git Bash": {
            "source": "Git Bash"
        },
        "Windows PowerShell": {
            "path": "C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
        }
    },
    "terminal.integrated.defaultProfile.windows": "Git Bash",
    "files.exclude": {
        "**/.git": false
    },
    "workbench.colorTheme": "Visual Studio Dark",
    "workbench.iconTheme": "vscode-icons",
    "liveServer.settings.donotShowInfoMsg": true,
    "workbench.commandPalette.history": 500,
    "settingsSync.ignoredSettings": [
        
    ]
}

 

I ran  lsof -i | grep 8089 on the Splunk server and its listening.

 

 lsof -i | grep 8089
splunkd   62692 splunk   29u  IPv4 581627143      0t0  TCP <SERVER_NAME>:59190-><SERVER_NAME>:8089 (ESTABLISHED)
java      66146 splunk   84u  IPv4 927511885      0t0  TCP localhost:43216->localhost:8089 (ESTABLISHED)
splunkd   86761 splunk    4u  IPv4 317159394      0t0  TCP *:8089 (LISTEN)
splunkd   86761 splunk  151u  IPv4 927515713      0t0  TCP localhost:8089->localhost:43216 (ESTABLISHED)

 

I ran netstat -ano | find /i "8089"

 

TCP 0.0.0.0:8089 0.0.0.0:0 LISTENING 6080

 

Ran my splnb file in VSC, and reran the netstat command.

 

  TCP    0.0.0.0:8089           0.0.0.0:0              LISTENING       6080
  TCP    10.37.112.133:29160    10.100.47.105:8089     TIME_WAIT       0

 

No I know an attempt was made.

I started a Wireshark trace and reran my splnb file.

The TLS handshake, certs, etc. seem to exchange without any issue. However, once my laptop sends application data, the Splunk server responds with "Encrypted Alert" My laptop responds to the "Encrypted Alert" with one of its own. Then a 4-way graceful disconnect.

How do I find out on the Splunk server what caused it to send an Encypted Alert?

My SPL is 

 

index=_internal | stats count by component

 

Thanks for your help. It is late here. Enjoy your weekend and God bless,
Genesius

Is your SH running on port 8080 or default 8000?
You should look if there is anything on your splunk server logs. Check also other than splunkd.log!
You have also latest version of TA for vscode on your splunk server?

Thanks @isoutamo 

According to my url in the GUI, SH is running 8080.

I will check the Splunkserver logs.

The TA is not installed. However, based on the doc below for the TA is it necessary

"The Splunk Add-on for Microsoft Visual Studio Code provideexits support for debugging user Python code contained in apps, add-ons, custom search commands, custom REST handlers, modular visualizations, or any user Python code run within Splunk Enterprise."

Is the VSC .splnb is not python code. But is it considered a custom search command?

Thanks and God bless,
Genesius

---

I don't know for sure, but I think that those are basically jupyter playbooks which are using python?
You can easily check this by installing that TA/App into your splunk server and check if it start to work after that?

@isoutamo 

It has been a crazy week. And now I'm going on vacation. We'll take this up again in June.

Thanks for all your help and God bless,
Genesius

Did you ever figure out what the issue was? I am having the same issue with VSCode and the API, however it did work at one point earlier this year and has now stopped working. I don't know exactly when because it has not been a regular thing to use VSCode to search our Splunk Cloud.