All Apps and Add-ons

TA-Webtools curl Authentication

ejread
Explorer

Using the Webtools app here - https://splunkbase.splunk.com/app/4146/#/details

I have a working curl command from the CLI but receiving a 400 response from the Splunk search command… Curious how it works and have a few questions -

  1. Is there a way to see the CURL command generated by Splunk when the search is executed? Is this logged anywhere?
  2. How do the “user=username” and “password=password” parameters from the search command compare to “curl -u" option with "user:password"?

For example, using curl directly (works) -

curl \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-u "user:password" \
-d '{"uuid":"xxxx","inputs":{"Area":"failure","AssignmentGroup":"monitoring platforms","Description0":"SPLUNK Test","Impact":"4","Subarea":"error message","Urgency":"3","AffectedCI":"Test","OriginalText":"SPLUNK Test","Application":"xxx","xx_Node":"xxxxxx","Category":"testing","SourceCI":"xxxx-001","doCreateAlert":"yourdoCreateAlertValue"}}' \
http://hostname:8080/url/path

Using the curl search command (not working) -

| makeresults 
| eval header="{\"Content-Type\":\"application/json\", \"Accept\":\"application/json\"}" 
| eval data="{\"uuid\":\"xxxx\",\"inputs\":{\"Area\":\"failure\",\"AssignmentGroup\":\"monitoring platforms\",\"Description0\":\"SPLUNK Test\",\"Impact\":\"4\",\"Subarea\":\"error message\",\"Urgency\":\"3\",\"AffectedCI\":\"Test\",\"OriginalText\":\"SPLUNK Test\",\"Application\":\"xxx\",\"xx_Node\":\"xxxxxx\",\"Category\":\"testing\",\"SourceCI\":\"xxxx-001\",\"doCreateAlert\":\"yourdoCreateAlertValue\"}}"
| curl method=post uri=http://hostname:8080/url/path user=user pass=password debug=true datafield=data headerfield=header

jkat54
SplunkTrust
SplunkTrust

Really looks like it should have worked.

What happens if you add count=1 to your makeresults?

0 Karma

ejread
Explorer

Unfortunately no difference when adding count=1.

Also noticed in the search results table, there is a slightly different formatting with a "u". I feel like some formatting in the data payload section may be the problem...

data field -

{"uuid":"xxxx","inputs":

curl_data_payload field -

{u'uuid': u'xxxx', u'inputs':
0 Karma

jkat54
SplunkTrust
SplunkTrust

That's what a json array looks like when printed to string. The "u" that is.

It should be fine like that. I think maybe the nested json is causing the issue. Maybe you need to put square brackets around the entire data object to show it's an array...

0 Karma

ejread
Explorer

I tried square brackets, no luck. Also tried with a non-nested JSON object, and it works through curl but not through the search command (returns a 400). Its seems like a formatting difference in the payload between what is sent with "curl -d" and "datafield=data". Any way to log what is sent in the POST so it can be compared to curl?

0 Karma

jkat54
SplunkTrust
SplunkTrust

On your search head, you can run tcpdump on whatever port your api is on and see the outbound queries.

debug=true is supposed to show whats being sent in curl_* fields.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Behind the scenes it's requests lib, a popular web requests library written in python. It's not actually a curl command.

User/pass gets base64 encoded and passed in the Authentication Header.

0 Karma
Get Updates on the Splunk Community!

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...