Splunk Webtools Add-on - UI Syntax?

kfeagans_splunk · ‎05-15-2020

In looking at the app "Webtools Add-On" (https://splunkbase.splunk.com/app/4146/#/overview - @jkat54 ), I'm curious on syntax translation from CLI to the UI.

For example, I am prototyping an API call to my sprinkler system (IoT demonstration use case) made by Rachio. Rachio publishes their API curl commands here: https://rachio.readme.io/docs/getting-started. A typical curl command looks like this: curl -X GET -H "Content-Type: application/json" -H "Authorization: Bearer 8e600a4c-0027-4a9a-9bda-abc8d5c90350d" https://api.rach.io/1/public/person/info

How would this translate to the inputs within the Webtools (Configuration) UI? I've tried a few different permutations and receive errors as outputs in search results (looks like the auth key isn't passed as expected by the endpoint). What would the UI look like in relation to the above CLI Curl command?

Thank you!

Kelly

jkat54 · ‎05-15-2020

If you can use the | curl search command instead you could do something like this..

| makeresults count=1
| eval header="\{\"Authorization\":\"Bearer .....\",\"Content-Type\":\"application\/json\"\}"
| curl url="yourAPI" headerfield=header
| collect index=test

kfeagans_splunk · ‎05-15-2020

Hi @jkat54 ... looks like progress, but is "headerfield" an optional sub-command? I'm receiving an error as : command="curl", syntax: | curl [ choice: uri=<uri> OR urifield=<urifield> ] [ optional: method=<get | head | post | delete> verifyssl=<true | false> datafield=<datafield> data=<data> user=<user> pass=<password> debug=<true | false> splunkauth=<true | false> splunkpasswdname=<username_in_passwordsconf> splunkpasswdcontext=<appcontext> timeout=<float> ]

Thank you for the assistance!! this is going to be great when this thing works!

kelly

jkat54 · ‎05-15-2020

Try removing your api key from your screenshot so no one else gets it

AND

Try escaping these {}. { } in your headerfield.

Looks like that may be the problem and not the "undocumented feature". Or maybe it's the forum removing the slashes

kfeagans_splunk · ‎05-15-2020

Thanks! I'll try a little later (I randomized the api key ;).

kf

jkat54 · ‎05-15-2020

Sweet I was hoping so, but we always confirm/check when we see it!

jkat54 · ‎05-15-2020

You might also try this example:

Setting a Custom Header & Test Data:
| makeresults count=1
| eval header="{\"content-type\":\"application/json\"}"
| eval data="{\"test data\":\"DATA\"}"
| curl method=post uri=https://localhost:8089/services user=admin pass=changeme debug=true headerfield=header datafield=data

kfeagans_splunk · ‎05-18-2020

removing the slashes reveals the "correct" statement in the eval as here ... https://ibb.co/j6K5sd9

I get a "method not supported" on your code above with Splunk v.8 ... I played around with it some, but I'm more after "get" than post.

Splunk Webtools Add-on - UI Syntax?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

SplunkTrust Application Period is Officially OPEN!

Join the Conversation

Splunk Webtools Add-on - UI Syntax?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

SplunkTrust Application Period is Officially OPEN!