Splunk Webtools Add-on - UI Syntax?

kfeagans_splunk · ‎05-15-2020

In looking at the app "Webtools Add-On" (https://splunkbase.splunk.com/app/4146/#/overview - @jkat54 ), I'm curious on syntax translation from CLI to the UI.

For example, I am prototyping an API call to my sprinkler system (IoT demonstration use case) made by Rachio. Rachio publishes their API curl commands here: https://rachio.readme.io/docs/getting-started. A typical curl command looks like this: curl -X GET -H "Content-Type: application/json" -H "Authorization: Bearer 8e600a4c-0027-4a9a-9bda-abc8d5c90350d" https://api.rach.io/1/public/person/info

How would this translate to the inputs within the Webtools (Configuration) UI? I've tried a few different permutations and receive errors as outputs in search results (looks like the auth key isn't passed as expected by the endpoint). What would the UI look like in relation to the above CLI Curl command?

alt text

Thank you!

Kelly

jkat54 · ‎05-15-2020

If you can use the | curl search command instead you could do something like this..

| makeresults count=1
| eval header="\{\"Authorization\":\"Bearer .....\",\"Content-Type\":\"application\/json\"\}"
| curl url="yourAPI" headerfield=header
| collect index=test

kfeagans_splunk · ‎05-15-2020

Hi @jkat54 ... looks like progress, but is "headerfield" an optional sub-command? I'm receiving an error as : command="curl", syntax: | curl [ choice: uri=<uri> OR urifield=<urifield> ] [ optional: method=<get | head | post | delete> verifyssl=<true | false> datafield=<datafield> data=<data> user=<user> pass=<password> debug=<true | false> splunkauth=<true | false> splunkpasswdname=<username_in_passwordsconf> splunkpasswdcontext=<appcontext> timeout=<float> ]

alt text

Thank you for the assistance!! this is going to be great when this thing works!

kelly

jkat54 · ‎05-15-2020

Try removing your api key from your screenshot so no one else gets it

AND

Try escaping these {}. { } in your headerfield.

Looks like that may be the problem and not the "undocumented feature". Or maybe it's the forum removing the slashes

kfeagans_splunk · ‎05-15-2020

Thanks! I'll try a little later (I randomized the api key ;).

kf

jkat54 · ‎05-15-2020

Sweet I was hoping so, but we always confirm/check when we see it!

jkat54 · ‎05-15-2020

You might also try this example:

Setting a Custom Header & Test Data:
| makeresults count=1
| eval header="{\"content-type\":\"application/json\"}"
| eval data="{\"test data\":\"DATA\"}"
| curl method=post uri=https://localhost:8089/services user=admin pass=changeme debug=true headerfield=header datafield=data

kfeagans_splunk · ‎05-18-2020

removing the slashes reveals the "correct" statement in the eval as here ... https://ibb.co/j6K5sd9

I get a "method not supported" on your code above with Splunk v.8 ... I played around with it some, but I'm more after "get" than post.

Splunk Webtools Add-on - UI Syntax?

Splunk Answers Content Calendar, June Edition

What You Read The Most: Splunk Lantern’s Most Popular Articles!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Are you a member of the Splunk Community?

Splunk Webtools Add-on - UI Syntax?

Splunk Answers Content Calendar, June Edition

What You Read The Most: Splunk Lantern’s Most Popular Articles!

See your relevant APM services, dashboards, and alerts in one place with the updated ...