All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

REST_TA inputs.conf vs curl

tobinbxnz
Explorer
‎03-27-2019 08:39 PM

I am trying to use the REST_TA to retrieve records from the TrendMicro CAS REST API.

The rest_ta errors with a timeout and a curl with the equivalent headers and parameters returns a JSON result. This would indicate that the inputs.conf is somehow wrong.

Here is the inputs.conf (sensitive info is masked)

[rest://TMCAS-exchange-securityrisk]
endpoint = https://api.tmcas.trendmicro.com/siem/v1/security_events
activation_key = XXXACTIVATIONKEYHEREXXX
http_method = GET
auth_type = none
http_header_propertys = "Authorization=Bearer YYYREMOTEACCESSTMCASTOKENHEREYYY"
url_args = service=exchange,event=securityrisk
response_type = json
polling_interval = 300
index = staging
index_error_response_codes = 0
sequential_mode = 0
sourcetype = trend:cloud:tmcas
streaming_request = 0

And gives the following result:

INFO Starting new HTTPS connection (1): api.tmcas.trendmicro.com
ERROR HTTP Request Timeout error: HTTPSConnectionPool(host='api.tmcas.trendmicro.com', port=443): Read timed out.

The curl I have constructed to use the same values is this:

curl  -H "Authorization: Bearer YYYREMOTEACCESSTMCASTOKENHEREYYY" "https://api.tmcas.trendmicro.com/siem/v1/security_events?service=sharepoint&event=securityrisk&start=2019-03-26T00:00:00.000Z"

And gives the JSON result:

{"current_link":"https://api.tmcas.trendmicro.com/siem/v1/security_events?service=sharepoint&event=securityrisk&start=2019-03-26T00:00:00.000Z","next_link":"","security_events":[]}

What am I doing wrong?

Tags (1)
0 Karma
Reply

tobinbxnz
Explorer
‎04-01-2019 12:05 PM

The issue is in this config line:

http_header_propertys = "Authorization=Bearer YYYREMOTEACCESSTMCASTOKENHEREYYY"

The quotes are not required, so it should read

http_header_propertys = Authorization=Bearer YYYREMOTEACCESSTMCASTOKENHEREYYY

Many thanks to the support on the BaboonBones Slack support channel

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...