- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are trying to use the Splunk Stream REST API
https://docs.splunk.com/Documentation/StreamApp/7.0.1/DeployStreamApp/SplunkAppforStreamRESTAPI
We are able to see the configs
curl -k https://localhost:8000/en-US/custom/splunk_app_stream/streams/udp
curl -X GET -H "X-Requested-With: XMLHttpRequest" -H "Content-Type: application/json" -k https://localhost:8000/en-US/custom/splunk_app_stream/streams/udp
{"sourcetype": "stream:udp", "modifiedBy": "admin", "protocolName": "UDP", "fields": [{"term": "flow.bytes", "desc": "The total number of bytes transferred", "enabled": true, "name": "bytes", "aggType": "value"}, {"term": "flow.c-ip", "desc": "Client IP Address", "enabled": true, "name": "src_ip", "aggType": "value"}, {"term": "flow.c-mac", "desc": "Client packets MAC address in hexadecimal format", "enabled": true, "name": "src_mac", "aggType": "value"}, {"term": "flow.c-port", "desc": "Client port number", "enabled": true, "name": "src_port", "aggType": "value"}, {"term": "flow.cs-bytes", "desc": "The number of bytes sent from client to server", "enabled": true, "name": "bytes_in", "aggType": "value"}, {"term": "flow.cs-content", "desc": "All raw payload content sent from client to server", "enabled": false, "name": "src_content", "aggType": "value"}, {"term": "flow.cs-packets", "desc": "The total number of packets sent from client to server", "enabled": true, "name": "packets_in", "aggType": "value"}, {"term": "flow.interface-name", "desc": "Name of network interface", "enabled": false, "name": "network_interface", "aggType": "value"}, {"term": "flow.hostname", "desc": "Hostname where flow was captured", "enabled": false, "name": "capture_hostname", "aggType": "value"}, {"term": "flow.protocol", "desc": "Level 7 protocol name (http, ftp, etc.)", "enabled": true, "name": "app", "aggType": "value"}, {"term": "flow.s-ip", "desc": "Server IP Address", "enabled": true, "name": "dest_ip", "aggType": "value"}, {"term": "flow.s-mac", "desc": "Server packets MAC address in hexadecimal format", "enabled": true, "name": "dest_mac", "aggType": "value"}, {"term": "flow.s-port", "desc": "Server port number", "enabled": true, "name": "dest_port", "aggType": "value"}, {"term": "flow.sc-bytes", "desc": "The number of bytes sent from server to client", "enabled": true, "name": "bytes_out", "aggType": "value"}, {"term": "flow.sc-content", "desc": "All raw payload content sent from server to client", "enabled": false, "name": "dest_content", "aggType": "value"}, {"term": "flow.sc-packets", "desc": "The total number of packets sent from server to client", "enabled": true, "name": "packets_out", "aggType": "value"}, {"term": "flow.time-taken", "desc": "Number of microseconds that it took to complete a flow event, from the end user's perspective", "enabled": true, "name": "time_taken", "aggType": "value"}, {"term": "flow.vlan-id", "desc": "VLAN ID from 802.1Q header", "enabled": false, "name": "vlan_id", "aggType": "value"}, {"term": "flow.flow-id", "desc": "Flow Id", "enabled": true, "name": "flow_id", "aggType": "value"}, {"term": "flow.protocol-stack", "desc": "Protocol stack of flow", "enabled": true, "name": "protocol_stack", "aggType": "value"}], "_key": "udp", "streamType": "event", "aggregated": false, "app": "Stream", "filters": {"matchAllComparisons": true, "comparisons": []}, "statsOnly": false, "extras": {"eventType": "flow.udp-event"}, "_user": "nobody", "index": null, "category": "Networking", "isReferenceStream": true, "id": "udp", "name": "UDP Flow Events", "enabled": true}[
But we cannot figure out how to edit them
curl -X PUT -H "Cookie: splunkd_8000=PRlg_PB8THrM8tZYOebt6K6^ooApy73FJRvJgY2RliptRtPWTeEUuUmArMi9fia5Vpw2eP7HVsENKnw2rag6HhPqCDDJVT52YMjEA0GIM_4opmWNJkVrtsCnqJ8wOTWlVvmLIcC; splunkweb_csrf_token_8000=6914067146718907469" -H "X-Splunk-Form-Key: 6914067146718907469" -H "X-Requested-With: XMLHttpRequest" -H "Content-Type: application/json" -k http://localhost:8000/en-US/custom/splunk_app_stream/streams/udp/enable
We could not figure out how do we valid header tokens?
It is mentioned that we should be able to get this information of the GET request, but all we get is
HTTP/1.1 200 OK
Date: Wed, 22 Feb 2017 10:42:16 GMT
Content-Type: text/json;charset=utf-8
X-Content-Type-Options: nosniff
Content-Length: 3383
Vary: Cookie
Connection: Keep-Alive
X-Frame-Options: SAMEORIGIN
Set-Cookie: session_id_8000=bda9573630ba5e19964c235345a9b53c8d449e96; expires=Thu, 23 Feb 2017 10:42:16 GMT; httponly; Path=/; secure
Server: Splunkd
How do we get the necessary information to set the following parameters?
-H "Cookie: splunkd_8000=PRlg_PB8THrM8tZYOebt6K6^ooApy73FJRvJgY2RliptRtPWTeEUuUmArMi9fia5Vpw2eP7HVsENKnw2rag6HhPqCDDJVT52YMjEA0GIM_4opmWNJkVrtsCnqJ8wOTWlVvmLIcC; splunkweb_csrf_token_8000=6914067146718907469"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
There are two steps involved in getting all the tokens.
If you’re using curl, follow the below steps —
(If you’re using POSTMAN or similar services the splunkd and csrf token are extracted and used automatically by the application as long as there is a active web session. The can be found in the cookies tab)
- RUN curl -c - -k http://localhost:8000/en-US/account/login to collect the “cval” set-cookie value
EG:
localhost FALSE /en-US/account/ FALSE 0 cval 1850823966
localhost FALSE /en-US/account FALSE 1645485022 splunkweb_uid B0016BF4-2725-475F-9CEF-968387C83900
- RUN curl -c - -k http://localhost:8000/en-US/account/login -H "Cookie: cval=1850823966" -d username= -d password= -d cval=1850823966 to retrieve the other tokens
EG:
HttpOnly_localhost FALSE / FALSE 1487808793 splunkd_8000 UDS7UqFb7Am8aHEOftYtluORlpiKom2BHf5P5H_34x2^7unZJy5xNJiNGlHNsrtoHnw6x18KKVDpCz0Qs3vgEFYFCcKsSYqpkJEtQjIsDguZNGsC4NuOXithfgjYkC
localhost FALSE / FALSE 1645485193 splunkweb_csrf_token_8000 12523149765193777622
NOTE: The splunkweb_csrf_token_8000 is the X-Splunk-Form-Key as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
There are two steps involved in getting all the tokens.
If you’re using curl, follow the below steps —
(If you’re using POSTMAN or similar services the splunkd and csrf token are extracted and used automatically by the application as long as there is a active web session. The can be found in the cookies tab)
- RUN curl -c - -k http://localhost:8000/en-US/account/login to collect the “cval” set-cookie value
EG:
localhost FALSE /en-US/account/ FALSE 0 cval 1850823966
localhost FALSE /en-US/account FALSE 1645485022 splunkweb_uid B0016BF4-2725-475F-9CEF-968387C83900
- RUN curl -c - -k http://localhost:8000/en-US/account/login -H "Cookie: cval=1850823966" -d username= -d password= -d cval=1850823966 to retrieve the other tokens
EG:
HttpOnly_localhost FALSE / FALSE 1487808793 splunkd_8000 UDS7UqFb7Am8aHEOftYtluORlpiKom2BHf5P5H_34x2^7unZJy5xNJiNGlHNsrtoHnw6x18KKVDpCz0Qs3vgEFYFCcKsSYqpkJEtQjIsDguZNGsC4NuOXithfgjYkC
localhost FALSE / FALSE 1645485193 splunkweb_csrf_token_8000 12523149765193777622
NOTE: The splunkweb_csrf_token_8000 is the X-Splunk-Form-Key as well.
