Using the Webtools app here - https://splunkbase.splunk.com/app/4146/#/details
I have a working curl command from the CLI but receiving a 400 response from the Splunk search command… Curious how it works and have a few questions -
- Is there a way to see the CURL command generated by Splunk when the search is executed? Is this logged anywhere?
- How do the “user=username” and “password=password” parameters from the search command compare to “curl -u" option with "user:password"?
For example, using curl directly (works) -
curl \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-u "user:password" \
-d '{"uuid":"xxxx","inputs":{"Area":"failure","AssignmentGroup":"monitoring platforms","Description0":"SPLUNK Test","Impact":"4","Subarea":"error message","Urgency":"3","AffectedCI":"Test","OriginalText":"SPLUNK Test","Application":"xxx","xx_Node":"xxxxxx","Category":"testing","SourceCI":"xxxx-001","doCreateAlert":"yourdoCreateAlertValue"}}' \
http://hostname:8080/url/path
Using the curl search command (not working) -
| makeresults
| eval header="{\"Content-Type\":\"application/json\", \"Accept\":\"application/json\"}"
| eval data="{\"uuid\":\"xxxx\",\"inputs\":{\"Area\":\"failure\",\"AssignmentGroup\":\"monitoring platforms\",\"Description0\":\"SPLUNK Test\",\"Impact\":\"4\",\"Subarea\":\"error message\",\"Urgency\":\"3\",\"AffectedCI\":\"Test\",\"OriginalText\":\"SPLUNK Test\",\"Application\":\"xxx\",\"xx_Node\":\"xxxxxx\",\"Category\":\"testing\",\"SourceCI\":\"xxxx-001\",\"doCreateAlert\":\"yourdoCreateAlertValue\"}}"
| curl method=post uri=http://hostname:8080/url/path user=user pass=password debug=true datafield=data headerfield=header
