All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

TA-Webtools curl Authentication

ejread
Explorer
‎12-04-2019 12:51 PM

Using the Webtools app here - https://splunkbase.splunk.com/app/4146/#/details

I have a working curl command from the CLI but receiving a 400 response from the Splunk search command… Curious how it works and have a few questions -

  1. Is there a way to see the CURL command generated by Splunk when the search is executed? Is this logged anywhere?
  2. How do the “user=username” and “password=password” parameters from the search command compare to “curl -u" option with "user:password"?

For example, using curl directly (works) -

curl \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-u "user:password" \
-d '{"uuid":"xxxx","inputs":{"Area":"failure","AssignmentGroup":"monitoring platforms","Description0":"SPLUNK Test","Impact":"4","Subarea":"error message","Urgency":"3","AffectedCI":"Test","OriginalText":"SPLUNK Test","Application":"xxx","xx_Node":"xxxxxx","Category":"testing","SourceCI":"xxxx-001","doCreateAlert":"yourdoCreateAlertValue"}}' \
http://hostname:8080/url/path

Using the curl search command (not working) -

| makeresults 
| eval header="{\"Content-Type\":\"application/json\", \"Accept\":\"application/json\"}" 
| eval data="{\"uuid\":\"xxxx\",\"inputs\":{\"Area\":\"failure\",\"AssignmentGroup\":\"monitoring platforms\",\"Description0\":\"SPLUNK Test\",\"Impact\":\"4\",\"Subarea\":\"error message\",\"Urgency\":\"3\",\"AffectedCI\":\"Test\",\"OriginalText\":\"SPLUNK Test\",\"Application\":\"xxx\",\"xx_Node\":\"xxxxxx\",\"Category\":\"testing\",\"SourceCI\":\"xxxx-001\",\"doCreateAlert\":\"yourdoCreateAlertValue\"}}"
| curl method=post uri=http://hostname:8080/url/path user=user pass=password debug=true datafield=data headerfield=header
Reply

jkat54
SplunkTrust
SplunkTrust
‎12-04-2019 03:48 PM

Really looks like it should have worked.

What happens if you add count=1 to your makeresults?

0 Karma
Reply

ejread
Explorer
‎12-05-2019 07:34 AM

Unfortunately no difference when adding count=1.

Also noticed in the search results table, there is a slightly different formatting with a "u". I feel like some formatting in the data payload section may be the problem...

data field -

{"uuid":"xxxx","inputs":

curl_data_payload field -

{u'uuid': u'xxxx', u'inputs':
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎12-05-2019 08:06 AM

That's what a json array looks like when printed to string. The "u" that is.

It should be fine like that. I think maybe the nested json is causing the issue. Maybe you need to put square brackets around the entire data object to show it's an array...

0 Karma
Reply

ejread
Explorer
‎12-06-2019 11:24 AM

I tried square brackets, no luck. Also tried with a non-nested JSON object, and it works through curl but not through the search command (returns a 400). Its seems like a formatting difference in the payload between what is sent with "curl -d" and "datafield=data". Any way to log what is sent in the POST so it can be compared to curl?

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎12-06-2019 07:08 PM

On your search head, you can run tcpdump on whatever port your api is on and see the outbound queries.

debug=true is supposed to show whats being sent in curl_* fields.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎12-04-2019 03:53 PM

Behind the scenes it's requests lib, a popular web requests library written in python. It's not actually a curl command.

User/pass gets base64 encoded and passed in the Authentication Header.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...