Flared · markkasaboski · Feb 10, 2025 · Feb 7, 2025
diff --git a/packages/flare/bin/cron_job_ingest_events.py b/packages/flare/bin/cron_job_ingest_events.py
@@ -343,13 +343,14 @@ def fetch_feed(
         logger.error(f"Exception={e}")
 
 
-def get_splunk_service(logger: Logger) -> Service:
+def get_splunk_service(logger: Logger, token: str) -> Service:
     try:
         splunk_service = client.connect(
             host=HOST,
             port=SPLUNK_PORT,
             app=APP_NAME,
-            token=sys.stdin.readline().strip(),
+            token=token,
+            autologin=True,
         )
     except Exception as e:
         logger.error(str(e))
@@ -360,7 +361,13 @@ def get_splunk_service(logger: Logger) -> Service:
 
 if __name__ == "__main__":
     logger = Logger(class_name=__file__)
-    splunk_service: Service = get_splunk_service(logger=logger)
+    token = sys.stdin.readline().strip()  # SEE: passAuth in https://docs.splunk.com/Documentation/Splunk/9.4.0/Admin/Inputsconf
+    if not token:
+        raise Exception(
+            "Token not found - Go through the complete app configuration to update the user token."
+        )
+
+    splunk_service: Service = get_splunk_service(logger=logger, token=token)
     app: Application = splunk_service.apps[APP_NAME]
 
     main(

diff --git a/packages/react-components/src/models/splunk.ts b/packages/react-components/src/models/splunk.ts
@@ -60,6 +60,7 @@ export interface Service {
     indexes: () => Indexes;
     savedSearches: () => Collection<Entity>;
     serverInfo: () => any;
+    currentUser: () => any;
     get: (splunkUrlPath: string, data: any) => HTTPResponse;
     post: (splunkUrlPath: string, data: any) => HTTPResponse;
 }
diff --git a/packages/react-components/src/utils/setupConfiguration.ts b/packages/react-components/src/utils/setupConfiguration.ts
@@ -152,6 +152,7 @@ async function saveConfiguration(
         SEVERITY_SAVED_SEARCH_NAME,
         `source=${APP_NAME} index=${indexName} earliest=-24h latest=now | spath path=header.risk.score output=risk_score_str | eval risk_score = coalesce(tonumber(risk_score_str), 0)  | eval risk_label = case(risk_score == 1, "Info", risk_score == 2, "Low", risk_score == 3, "Medium", risk_score == 4, "High", risk_score == 5, "Critical")  | stats count by risk_label, risk_score | sort risk_score | fields - risk_score`
     );
+    await updatePassAuthUsername(service);
     await completeSetup(service);
     await reloadApp(service);
     if (isFirstConfiguration) {
@@ -174,6 +175,18 @@ async function updateEventIngestionCronJobInterval(
     );
 }
 
+async function updatePassAuthUsername(service: Service): Promise<void> {
+    const username = await fetchCurrentUsername();
+    await updateConfigurationFile(
+        service,
+        'inputs',
+        'script://$SPLUNK_HOME/etc/apps/flare/bin/cron_job_ingest_events.py',
+        {
+            passAuth: username,
+        }
+    );
+}
+
 async function updateSavedSearchQuery(
     service: Service,
     savedSearchName: string,
@@ -422,6 +435,13 @@ function getSourceTypesFilterValue(
     return sourceTypesFilter;
 }
 
+function fetchCurrentUsername(): Promise<string> {
+    const service = createService();
+    return promisify(service.currentUser)().then((user) => {
+        return user.name;
+    });
+}
+
 export {
     createFlareIndex,
     fetchApiKey,