|
| 1 | +# Splunk Observability Token Expiration Monitor |
| 2 | + |
| 3 | +A tool to monitor Splunk Observability Cloud token expiration. Fetches tokens, calculates expiry, and sends `token.days_until_expiration` as a custom metric for monitoring and alerting. |
| 4 | + |
| 5 | +## Prerequisites |
| 6 | + |
| 7 | +* [`uv`](https://github.com/astral-sh/uv) installed |
| 8 | +* The script uses the `uv run --script` header to manage its dependencies automatically |
| 9 | +* Make the script executable: `chmod +x splunk_o11y_token_health.py` |
| 10 | + |
| 11 | +## Configuration |
| 12 | + |
| 13 | +Configure via environment variables or CLI arguments. CLI arguments take precedence. |
| 14 | + |
| 15 | +### Required: |
| 16 | + |
| 17 | +* **Realm:** Splunk Observability realm (e.g., `us0`, `us1`) |
| 18 | + * Env: `SPLUNK_REALM` |
| 19 | + * CLI: `--realm` (Default: `us1`) |
| 20 | + |
| 21 | +* **Authentication:** The script needs a session token to authenticate with Splunk Observability Cloud |
| 22 | + * **Option 1: Automatic Session Token Creation** (for non-SSO organizations only): |
| 23 | + * This method uses the API to generate a session token automatically |
| 24 | + * Caches token for ~55 mins (`.session_token_cache.json`) |
| 25 | + * Env: `SPLUNK_EMAIL`, `SPLUNK_PASSWORD`, `SPLUNK_ORG_ID` |
| 26 | + * CLI: `--use-session`, `--email`, `--password`, `--org-id` (Use `$SPLUNK_PASSWORD` env var for safety) |
| 27 | + * **Note:** This method will not work if your organization uses SSO. |
| 28 | + |
| 29 | + * **Option 2: Pre-obtained Session Token** (works for all organizations, including SSO): |
| 30 | + * Manually obtain a session token from the Splunk Observability Cloud UI |
| 31 | + * Env: `SPLUNK_API_TOKEN` (despite the name, this should be a session token) |
| 32 | + * CLI: `--api-token` |
| 33 | + |
| 34 | + > **Important:** For SSO-enabled organizations, Option 1 will not work. You must use Option 2. |
| 35 | +
|
| 36 | +* **Ingest Token:** Splunk Observability Ingest token (requires ingest permissions) |
| 37 | + * Env: `SPLUNK_INGEST_TOKEN` |
| 38 | + * CLI: `--ingest-token` (Not needed if using `--dry-run`) |
| 39 | + |
| 40 | +**Optional:** |
| 41 | + |
| 42 | +* `--page-size`: Tokens per API request (Default: 100) |
| 43 | +* `--dry-run`: Process data and show planned metrics, but do not send them |
| 44 | +* `--include-all-tokens`: disables default expiry filtering (see below); includes all valid tokens. |
| 45 | + |
| 46 | +## Default Expiry filtering |
| 47 | + |
| 48 | +By default, the script only processes and sends metrics for tokens that meet these criteria: |
| 49 | +* Expire within the next **100 days** (`<= 100`). |
| 50 | +* Have expired within the last **30 days** (`>= -30`). |
| 51 | + |
| 52 | +Use the `--include-all-tokens` flag to bypass this filter and process all tokens with valid expiration dates |
| 53 | + |
| 54 | +## Usage |
| 55 | + |
| 56 | +Ensure the script is executable (`chmod +x splunk_o11y_token_health.py`). Since the script uses the `uv run --script` header, `uv` will handle the environment and dependencies when you execute it directly. |
| 57 | + |
| 58 | +### 1. Using Pre-obtained Session Token (Option 2, works for all organizations): |
| 59 | + |
| 60 | +```bash |
| 61 | +# Set required environment variables |
| 62 | +export SPLUNK_REALM="us1" |
| 63 | +export SPLUNK_API_TOKEN="YOUR_SESSION_TOKEN" # Session token from Splunk O11y UI |
| 64 | +export SPLUNK_INGEST_TOKEN="YOUR_INGEST_TOKEN" |
| 65 | + |
| 66 | +# Execute the script directly |
| 67 | +./splunk_o11y_token_health.py |
| 68 | +``` |
| 69 | + |
| 70 | +### 2. Using Automatic Session Token Creation (Option 1, non-SSO orgs only): |
| 71 | + |
| 72 | +```bash |
| 73 | +# Set required environment variables |
| 74 | +export SPLUNK_REALM="eu0" |
| 75 | +export SPLUNK_EMAIL= "[email protected]" |
| 76 | +export SPLUNK_PASSWORD='your_secret_password' # Use env var! |
| 77 | +export SPLUNK_ORG_ID="YOUR_ORG_ID" |
| 78 | +export SPLUNK_INGEST_TOKEN="YOUR_INGEST_TOKEN" |
| 79 | + |
| 80 | +# Execute the script with the session flag. |
| 81 | +./splunk_o11y_token_health.py --use-session |
| 82 | +``` |
| 83 | + |
| 84 | +> **Note:** Cached tokens are reused automatically if valid. |
| 85 | +
|
| 86 | +### 3. Dry Run: |
| 87 | + |
| 88 | +```bash |
| 89 | +# Assumes required auth env vars are set |
| 90 | +./splunk_o11y_token_health.py --dry-run |
| 91 | +``` |
| 92 | + |
| 93 | +### 4. Disable Default filtering |
| 94 | + |
| 95 | +```bash |
| 96 | +./splunk_o11y_token_health.py --include-all-tokens |
| 97 | +``` |
| 98 | + |
| 99 | + |
| 100 | +## Output Metric |
| 101 | + |
| 102 | +Sends a gauge metric to Splunk Observability Cloud: |
| 103 | + |
| 104 | +* **`token.days_until_expiration`**: Days until token expiry (negative if expired) |
| 105 | + * **Dimensions:** `token_name`, `token_id`, `token_type`, `expiration_date`, `auth_scopes` |
| 106 | + |
| 107 | +## Session Token Caching |
| 108 | + |
| 109 | +When using `--use-session`, a successfully created session token is cached in `.session_token_cache.json` for approximately 55 minutes. Subsequent runs with `--use-session` within this period will reuse the cached token. API token authentication (`--api-token`) does not use this cache. |
| 110 | + |
| 111 | +## Exit Codes |
| 112 | + |
| 113 | +* **0**: Success (metrics sent, or dry run completed, or no relevant tokens found) |
| 114 | +* **1**: Failure (configuration error, API error, metric sending failed) |
| 115 | + |
| 116 | +## References |
| 117 | +- https://dev.splunk.com/observability/reference/api/sessiontokens/latest |
| 118 | +- https://dev.splunk.com/observability/reference/api/org_tokens/latest#endpoint-retrieve-tokens-using-query |
| 119 | +- https://dev.splunk.com/observability/reference/api/ingest_data/latest#endpoint-send-metrics |
0 commit comments