All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

REST API Input in Add-on Builder: POST body not affecting response

rayleigh29
Loves-to-Learn
2 weeks ago

I'm using Splunk Add-on Builder to configure a REST API input for Samsung Knox.

REST URL: https://region.manage.samsungknox.com/emm/oapi/audit/read

POST Request Headers:

  • Authorization: Bearer <token>

  • Content-Type: application/x-www-form-urlencoded

POST Request Body

  • client_id
  • client_secret
  • grant_type
  • timeZone = +07:00
  • includeProcessInfo = true
  • includeLogData = true

image.png

The request is successfully sent, but the response always returns timestamps in UTC (+00:00) and doesn't seem to reflect the timeZone (auditTimestampText) or other body parameters i requested.


rayleigh29_0-1761929655571.png

When I test this in Postman, I get the expected log results with localized timestamps and full data.

But when I configure the same request in Add-on Builder, the response seems incomplete or ignores the body parameters — especially timeZone.

reference for Samsung Knox API (https://docs.samsungknox.com/dev/knox-manage/api/#tag/Audit/operation/read)

Any information on how to debug this? or any workaround for this?

Thank you.

Labels (2)
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
2 weeks ago

But is that parameter supposed to control the output or the input of the search time range?

0 Karma
Reply

rayleigh29
Loves-to-Learn
2 weeks ago

you mean the timeZone parameter?  

In Postman, setting timeZone=+07:00 actually changes the output field "auditTimestampText" to reflect the specified timezone — I get timestamps like 2025-10-31T23:18:00.663+07:00 instead of 2025-10-31T23:18:00.663+00:00 .

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
2 weeks ago

Well, since it's TLS and you can't just eavesdrop on the wire, unless there is a way to raise logging level for add-on builder (I'm not sure about that) the way to go to see what's actually being sent would be to set up a MITM proxy server.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...