Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

401 Disables POST, goes with GET for POST /splunkd/__raw/services/jobs

rjollet
New Member
‎10-31-2017 02:11 AM

We are using splunk 6.3.6
I try to perform POST through /splunkd/__raw/services/search/jobs

curl -kvsL -X POST --cookie-jar curl_cookie.jar https://splunk_web_url/en-US/splunkd/__raw/services/search/jobs/export -d search="search index=_internal | stats avg(load_average)"

HTTP/1.1 401 Unauthorized
Date: Tue, 31 Oct 2017 08:39:44 GMT
Server: Splunkd
Strict-Transport-Security: max-age=15768000
Expires: Thu, 26 Oct 1978 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Content-Type: application/json; charset=UTF-8
X-Content-Type-Options: nosniff
Content-Length: 12
X-Frame-Options: SAMEORIGIN
Connection: close

{"status":1}* Curl_http_done: called premature == 0

It works for GET queries as:

curl -kvsL -X GET --cookie-jar curl_cookie.jar https://splunk_web_url.net/en-US/splunkd/__raw/services/search/jobs

in btool web list we can see that both GET and POST are allowed for this endpoint:

[expose:search_jobs]
methods = GET,POST
pattern = search/jobs

detailed about curl responses:

curl -kvsL -u USER:PASSWORD -X POST --cookie-jar curl_cookie.jar https://SPLUNKWEB/en-US/splunkd/__raw/service
s/search/jobs -d search="search index=_internal | stats avg(load_average)"
*   Trying x.x.x.x...
* TCP_NODELAY set
* Connected to SPLUNKWEB (x.x.x.x) port 443 (#0)
* schannel: SSL/TLS connection with SPLUNKWEB port 443 (step 1/3)
* schannel: disabled server certificate revocation checks
* schannel: verifyhost setting prevents Schannel from comparing the supplied target name with the subject names in server certificates. Also disables SNI
.
* schannel: sending initial handshake data: sending 189 bytes...
* schannel: sent initial handshake data: sent 189 bytes
* schannel: SSL/TLS connection with SPLUNKWEB port 443 (step 2/3)
* schannel: failed to receive handshake, need more data
* schannel: SSL/TLS connection with SPLUNKWEB port 443 (step 2/3)
* schannel: encrypted data buffer: offset 4096 length 4096
* schannel: encrypted data length: 4006
* schannel: encrypted data buffer: offset 4006 length 4096
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with SPLUNKWEB port 443 (step 2/3)
* schannel: encrypted data buffer: offset 5030 length 5030
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with SPLUNKWEB port 443 (step 2/3)
* schannel: encrypted data buffer: offset 6054 length 6054
* schannel: encrypted data length: 136
* schannel: encrypted data buffer: offset 136 length 6054
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with SPLUNKWEB port 443 (step 2/3)
* schannel: encrypted data buffer: offset 1188 length 6054
* schannel: sending next handshake data: sending 2298 bytes...
* schannel: SSL/TLS connection with SPLUNKWEB port 443 (step 2/3)
* schannel: encrypted data buffer: offset 51 length 6054
* schannel: SSL/TLS handshake complete
* schannel: SSL/TLS connection with SPLUNKWEB port 443 (step 3/3)
* schannel: stored credential handle in session cache
* Server auth using Basic with user 'USER'
> POST /en-US/splunkd/__raw/services/search/jobs HTTP/1.1
> Host: SPLUNKWEB
> Authorization: Basic BASE64AUTH
> User-Agent: curl/7.52.1
> Accept: */*
> Content-Length: 55
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 55 out of 55 bytes
* schannel: client wants to read 16384 bytes
* schannel: encdata_buffer resized 17408
* schannel: encrypted data buffer: offset 0 length 17408
* schannel: encrypted data got 728
* schannel: encrypted data buffer: offset 728 length 17408
* schannel: decrypted data length: 512
* schannel: decrypted data added: 512
* schannel: decrypted data cached: offset 512 length 16384
* schannel: encrypted data length: 187
* schannel: encrypted data cached: offset 187 length 17408
* schannel: decrypted data length: 127
* schannel: decrypted data added: 127
* schannel: decrypted data cached: offset 639 length 16384
* schannel: encrypted data length: 31
* schannel: encrypted data cached: offset 31 length 17408
* schannel: server closed the connection
* schannel: schannel_recv cleanup
* schannel: decrypted data returned 639
* schannel: decrypted data buffer: offset 0 length 16384
< HTTP/1.1 303 See Other
< Date: Tue, 31 Oct 2017 13:05:15 GMT
< Server: Splunkd
< Strict-Transport-Security: max-age=15768000
< Expires: Thu, 26 Oct 1978 00:00:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, max-age=0
< Content-Type: text/xml; charset=UTF-8
< X-Content-Type-Options: nosniff
< Content-Length: 127
< Location: https://SPLUNKWEB/en-US/account/login?return_to=%2Fen-US%2Fsplunkd%2F__raw%2Fservices%2Fsearch%2Fjob...
< Vary: Cookie
< X-Frame-Options: SAMEORIGIN
< Connection: close
<
* Curl_http_done: called premature == 0
* Closing connection 0
* schannel: shutting down SSL/TLS connection with SPLUNKWEB port 443
* schannel: clear security context handle
* Issue another request to this URL: 'https://SPLUNKWEB/en-US/account/login?return_to=%2Fen-US%2Fsplunkd%2F__raw%2Fservices%2Fsearch%2Fjo
bs'
* Disables POST, goes with GET
* Hostname SPLUNKWEB was found in DNS cache
*   Trying X.X.X.X...
* TCP_NODELAY set
* Connected to SPLUNKWEB (X.X.X.X) port 443 (#1)
* schannel: SSL/TLS connection with SPLUNKWEB port 443 (step 1/3)
* schannel: re-using existing credential handle
* schannel: incremented credential handle refcount = 2
* schannel: sending initial handshake data: sending 221 bytes...
* schannel: sent initial handshake data: sent 221 bytes
* schannel: SSL/TLS connection with SPLUNKWEB port 443 (step 2/3)
* schannel: encrypted data buffer: offset 137 length 4096
* schannel: sending next handshake data: sending 51 bytes...
* schannel: SSL/TLS handshake complete
* schannel: SSL/TLS connection with SPLUNKWEB port 443 (step 3/3)
* Server auth using Basic with user 'USER'
> POST /en-US/account/login?return_to=%2Fen-US%2Fsplunkd%2F__raw%2Fservices%2Fsearch%2Fjobs HTTP/1.1
> Host: SPLUNKWEB
> Authorization: Basic BASE64AUTH
> User-Agent: curl/7.52.1
> Accept: */*
>
* schannel: client wants to read 16384 bytes
* schannel: encdata_buffer resized 17408
* schannel: encrypted data buffer: offset 0 length 17408
* schannel: encrypted data got 480
* schannel: encrypted data buffer: offset 480 length 17408
* schannel: decrypted data length: 379
* schannel: decrypted data added: 379
* schannel: decrypted data cached: offset 379 length 16384
* schannel: encrypted data length: 72
* schannel: encrypted data cached: offset 72 length 17408
* schannel: decrypted data length: 12
* schannel: decrypted data added: 12
* schannel: decrypted data cached: offset 391 length 16384
* schannel: encrypted data length: 31
* schannel: encrypted data cached: offset 31 length 17408
* schannel: server closed the connection
* schannel: schannel_recv cleanup
* schannel: decrypted data returned 391
* schannel: decrypted data buffer: offset 0 length 16384
< HTTP/1.1 401 Unauthorized
< Date: Tue, 31 Oct 2017 13:05:16 GMT
< Server: Splunkd
< Strict-Transport-Security: max-age=15768000
< Expires: Thu, 26 Oct 1978 00:00:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, max-age=0
< Content-Type: application/json; charset=UTF-8
< X-Content-Type-Options: nosniff
< Content-Length: 12
< X-Frame-Options: SAMEORIGIN
< Connection: close
<
{"status":1}* Curl_http_done: called premature == 0
* Closing connection 1
* schannel: shutting down SSL/TLS connection with SPLUNKWEB port 443
* schannel: clear security context handle
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎10-31-2017 05:37 AM

Have you tried adding auth to your post? In the form of an authorization header or user/pass on the curl command?

0 Karma
Reply

rjollet
New Member
‎10-31-2017 06:23 AM

Yes but it does not change the results

0 Karma
Reply

rjollet
New Member
‎10-31-2017 06:32 AM

I have tried with both sessionKey auth and basic auth none of them helps. Actuallys it use the Single Sign On to login the splunk web then it say that it disable POST but goes at GET

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎10-31-2017 06:55 PM

It looks like you’re posting to the web port. Have you tried using the mgmt port and rest api instead?

0 Karma
Reply

rjollet
New Member
‎11-01-2017 12:47 AM

Yes POST request are working on the management port but I would like to use the web port using /splunkd/__raw/... in order to take advantage of the SSO scripted auth. In the web .conf this endpoint authorize GET and POST methods.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...