All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Webtools Add-on - UI Syntax?

kfeagans_splunk
Splunk Employee
Splunk Employee
‎05-15-2020 01:49 PM

In looking at the app "Webtools Add-On" (https://splunkbase.splunk.com/app/4146/#/overview - @jkat54 ), I'm curious on syntax translation from CLI to the UI.

For example, I am prototyping an API call to my sprinkler system (IoT demonstration use case) made by Rachio. Rachio publishes their API curl commands here: https://rachio.readme.io/docs/getting-started. A typical curl command looks like this: curl -X GET -H "Content-Type: application/json" -H "Authorization: Bearer 8e600a4c-0027-4a9a-9bda-abc8d5c90350d" https://api.rach.io/1/public/person/info

How would this translate to the inputs within the Webtools (Configuration) UI? I've tried a few different permutations and receive errors as outputs in search results (looks like the auth key isn't passed as expected by the endpoint). What would the UI look like in relation to the above CLI Curl command?

alt text

Thank you!

Kelly

Reply

jkat54
SplunkTrust
SplunkTrust
‎05-15-2020 02:05 PM

If you can use the | curl search command instead you could do something like this..

| makeresults count=1
| eval header="\{\"Authorization\":\"Bearer .....\",\"Content-Type\":\"application\/json\"\}"
| curl url="yourAPI" headerfield=header
| collect index=test
0 Karma
Reply

kfeagans_splunk
Splunk Employee
Splunk Employee
‎05-15-2020 02:48 PM

Hi @jkat54 ... looks like progress, but is "headerfield" an optional sub-command? I'm receiving an error as : command="curl", syntax: | curl [ choice: uri=<uri> OR urifield=<urifield> ] [ optional: method=<get | head | post | delete> verifyssl=<true | false> datafield=<datafield> data=<data> user=<user> pass=<password> debug=<true | false> splunkauth=<true | false> splunkpasswdname=<username_in_passwordsconf> splunkpasswdcontext=<appcontext> timeout=<float> ]

alt text

Thank you for the assistance!! this is going to be great when this thing works!

kelly

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-15-2020 02:58 PM

Try removing your api key from your screenshot so no one else gets it

AND

Try escaping these {}. { } in your headerfield.

Looks like that may be the problem and not the "undocumented feature". Or maybe it's the forum removing the slashes

0 Karma
Reply

kfeagans_splunk
Splunk Employee
Splunk Employee
‎05-15-2020 04:05 PM

Thanks! I'll try a little later (I randomized the api key ;).

kf

Reply

jkat54
SplunkTrust
SplunkTrust
‎05-15-2020 04:30 PM

Sweet I was hoping so, but we always confirm/check when we see it!

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-15-2020 03:00 PM

You might also try this example:

Setting a Custom Header & Test Data:
| makeresults count=1
| eval header="{\"content-type\":\"application/json\"}"
| eval data="{\"test data\":\"DATA\"}"
| curl method=post uri=https://localhost:8089/services user=admin pass=changeme debug=true headerfield=header datafield=data

0 Karma
Reply

kfeagans_splunk
Splunk Employee
Splunk Employee
‎05-18-2020 06:35 AM

removing the slashes reveals the "correct" statement in the eval as here ... https://ibb.co/j6K5sd9

I get a "method not supported" on your code above with Splunk v.8 ... I played around with it some, but I'm more after "get" than post.

0 Karma
Reply
Get Updates on the Splunk Community!

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...
Top