All Apps and Add-ons

TA-Webtools curl Authentication

ejread
Explorer

Using the Webtools app here - https://splunkbase.splunk.com/app/4146/#/details

I have a working curl command from the CLI but receiving a 400 response from the Splunk search command… Curious how it works and have a few questions -

  1. Is there a way to see the CURL command generated by Splunk when the search is executed? Is this logged anywhere?
  2. How do the “user=username” and “password=password” parameters from the search command compare to “curl -u" option with "user:password"?

For example, using curl directly (works) -

curl \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-u "user:password" \
-d '{"uuid":"xxxx","inputs":{"Area":"failure","AssignmentGroup":"monitoring platforms","Description0":"SPLUNK Test","Impact":"4","Subarea":"error message","Urgency":"3","AffectedCI":"Test","OriginalText":"SPLUNK Test","Application":"xxx","xx_Node":"xxxxxx","Category":"testing","SourceCI":"xxxx-001","doCreateAlert":"yourdoCreateAlertValue"}}' \
http://hostname:8080/url/path

Using the curl search command (not working) -

| makeresults 
| eval header="{\"Content-Type\":\"application/json\", \"Accept\":\"application/json\"}" 
| eval data="{\"uuid\":\"xxxx\",\"inputs\":{\"Area\":\"failure\",\"AssignmentGroup\":\"monitoring platforms\",\"Description0\":\"SPLUNK Test\",\"Impact\":\"4\",\"Subarea\":\"error message\",\"Urgency\":\"3\",\"AffectedCI\":\"Test\",\"OriginalText\":\"SPLUNK Test\",\"Application\":\"xxx\",\"xx_Node\":\"xxxxxx\",\"Category\":\"testing\",\"SourceCI\":\"xxxx-001\",\"doCreateAlert\":\"yourdoCreateAlertValue\"}}"
| curl method=post uri=http://hostname:8080/url/path user=user pass=password debug=true datafield=data headerfield=header

jkat54
SplunkTrust
SplunkTrust

Really looks like it should have worked.

What happens if you add count=1 to your makeresults?

0 Karma

ejread
Explorer

Unfortunately no difference when adding count=1.

Also noticed in the search results table, there is a slightly different formatting with a "u". I feel like some formatting in the data payload section may be the problem...

data field -

{"uuid":"xxxx","inputs":

curl_data_payload field -

{u'uuid': u'xxxx', u'inputs':
0 Karma

jkat54
SplunkTrust
SplunkTrust

That's what a json array looks like when printed to string. The "u" that is.

It should be fine like that. I think maybe the nested json is causing the issue. Maybe you need to put square brackets around the entire data object to show it's an array...

0 Karma

ejread
Explorer

I tried square brackets, no luck. Also tried with a non-nested JSON object, and it works through curl but not through the search command (returns a 400). Its seems like a formatting difference in the payload between what is sent with "curl -d" and "datafield=data". Any way to log what is sent in the POST so it can be compared to curl?

0 Karma

jkat54
SplunkTrust
SplunkTrust

On your search head, you can run tcpdump on whatever port your api is on and see the outbound queries.

debug=true is supposed to show whats being sent in curl_* fields.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Behind the scenes it's requests lib, a popular web requests library written in python. It's not actually a curl command.

User/pass gets base64 encoded and passed in the Authentication Header.

0 Karma
Get Updates on the Splunk Community!

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...

New Splunk APM Enhancements Help Troubleshoot Your MySQL and NoSQL Databases Faster

Splunk Observability has two new enhancements to make it quicker and easier to troubleshoot slow or frequently ...