Re: curl error post after Splunk upgrade

vik · ‎04-19-2023

Hi Guys... Post upgrade of Splunk to v9, we are noticing errors when invoking external endpoints using curl command.

We are receiving a 400 response from the external endpoints. No changes have been made at either of the places and the only change is upgrading Splunk version to v9.

We tried to re-create the issue on Postman and found that these errors occur when we do not pass wither the Content-Length and host in the header. How do we check if these details are being passed by curl.

Anyone else faced similar issues ? Any suggestion on how to work around it ?

We are not seeing any SSL error. We are able to get a response fro with the endpoint if we are accessing services available using GET method. We are having issues only we use POST method

We are using Splunk v9, webtools 2.0.2.

Thanks

Vik

burwell · ‎04-19-2023

Hi can you provide curl example and error example?

vik · ‎04-19-2023

@burwell Splunk query and error ar below is the error

Error:

{"error":"400 Bad Request: The browser (or proxy) sent a request that this server could not understand."}

Query:

| eval bodyfield="{\"group\":\"".group_name."\",\"caller_id\":\"".caller_id."\"}"
| eval uriPut="https://endpoint/service" 
| eval header="{\"Content-Type\":\"application/json\",\"token\":\"mytoken\"}" 
| curl method=post urifield=uriPut headerfield=header datafield=bodyfield

woodcock · ‎04-20-2023

That is not a curl query.

isoutamo · ‎04-20-2023

Hi

You are probably using this SplunkBase app https://splunkbase.splunk.com/app/4172 ?

It seems not to be supported by current splunk version without modifications.

CURL command

Public App

Fail

Details

This app is not compatible with Python 3.

Version

1.0.0

Application Path

/Applications/Splunk/etc/apps/curl_command

Required Action

Do one of the following:

Confirm on the app's Splunkbase listing if this alert should be dismissed for this app version.
Petition the developer to update the app.
Uninstall the app from the app listing page.
Take ownership of the app and override existing code (not recommended).
Dismiss AppGo to App Page
Issue:
This app contains an outdated Python SDK. Update to the latest Python SDK.

Your options have listed above to get it working with splunk 9.x

r. Ismo

vik · ‎04-20-2023

@isoutamo We are using webtools app on our Splunk instance. Incompatibility with python version seems interesting. Could this app also have a similar issue ?

https://splunkbase.splunk.com/app/4146

We are currently using v2.0.2 of webtools.

isoutamo · ‎04-20-2023

Basically it is supported even version 2.0.2. Upgrade readiness app said that it has outdated SDK version. I propose that you update it to the latest version (check what it need for updating). That version should work correctly with Splunk 9.x.x (checked in 9.0.4.1)

yuanliu · ‎04-20-2023

If by "Query" you mean the SPL query you send via curl, it has to cause error because the last pipe begins with "curl", and "curl" is not a valid SPL command. (See Search Commands.) Not in 9.x. Not in any prior versions.

Forget about curl. If you enter the query into a search window, it will give an error. Are you sure there was any success with the same query before upgrade?

vik · ‎04-20-2023

@yuanliu

We have installed webtools to out Splunk instance to use "curl" command. It was working before the upgrade.

Below is the link to the app.

https://splunkbase.splunk.com/app/4146

Webtools Add-on curl error post after Splunk upgrade

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Are you a member of the Splunk Community?

Webtools Add-on curl error post after Splunk upgrade

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0