Getting Data In

401 Disables POST, goes with GET for POST /splunkd/__raw/services/jobs

New Member

We are using splunk 6.3.6
I try to perform POST through /splunkd/__raw/services/search/jobs

curl -kvsL -X POST --cookie-jar curl_cookie.jar https://splunk_web_url/en-US/splunkd/__raw/services/search/jobs/export -d search="search index=_internal | stats avg(load_average)"

HTTP/1.1 401 Unauthorized
Date: Tue, 31 Oct 2017 08:39:44 GMT
Server: Splunkd
Strict-Transport-Security: max-age=15768000
Expires: Thu, 26 Oct 1978 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Content-Type: application/json; charset=UTF-8
X-Content-Type-Options: nosniff
Content-Length: 12
X-Frame-Options: SAMEORIGIN
Connection: close

{"status":1}* Curl_http_done: called premature == 0

It works for GET queries as:

curl -kvsL -X GET --cookie-jar curl_cookie.jar https://splunk_web_url.net/en-US/splunkd/__raw/services/search/jobs

in btool web list we can see that both GET and POST are allowed for this endpoint:

[expose:search_jobs]
methods = GET,POST
pattern = search/jobs

detailed about curl responses:

curl -kvsL -u USER:PASSWORD -X POST --cookie-jar curl_cookie.jar https://SPLUNKWEB/en-US/splunkd/__raw/service
s/search/jobs -d search="search index=_internal | stats avg(load_average)"
*   Trying x.x.x.x...
* TCP_NODELAY set
* Connected to SPLUNKWEB (x.x.x.x) port 443 (#0)
* schannel: SSL/TLS connection with SPLUNKWEB port 443 (step 1/3)
* schannel: disabled server certificate revocation checks
* schannel: verifyhost setting prevents Schannel from comparing the supplied target name with the subject names in server certificates. Also disables SNI
.
* schannel: sending initial handshake data: sending 189 bytes...
* schannel: sent initial handshake data: sent 189 bytes
* schannel: SSL/TLS connection with SPLUNKWEB port 443 (step 2/3)
* schannel: failed to receive handshake, need more data
* schannel: SSL/TLS connection with SPLUNKWEB port 443 (step 2/3)
* schannel: encrypted data buffer: offset 4096 length 4096
* schannel: encrypted data length: 4006
* schannel: encrypted data buffer: offset 4006 length 4096
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with SPLUNKWEB port 443 (step 2/3)
* schannel: encrypted data buffer: offset 5030 length 5030
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with SPLUNKWEB port 443 (step 2/3)
* schannel: encrypted data buffer: offset 6054 length 6054
* schannel: encrypted data length: 136
* schannel: encrypted data buffer: offset 136 length 6054
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with SPLUNKWEB port 443 (step 2/3)
* schannel: encrypted data buffer: offset 1188 length 6054
* schannel: sending next handshake data: sending 2298 bytes...
* schannel: SSL/TLS connection with SPLUNKWEB port 443 (step 2/3)
* schannel: encrypted data buffer: offset 51 length 6054
* schannel: SSL/TLS handshake complete
* schannel: SSL/TLS connection with SPLUNKWEB port 443 (step 3/3)
* schannel: stored credential handle in session cache
* Server auth using Basic with user 'USER'
> POST /en-US/splunkd/__raw/services/search/jobs HTTP/1.1
> Host: SPLUNKWEB
> Authorization: Basic BASE64AUTH
> User-Agent: curl/7.52.1
> Accept: */*
> Content-Length: 55
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 55 out of 55 bytes
* schannel: client wants to read 16384 bytes
* schannel: encdata_buffer resized 17408
* schannel: encrypted data buffer: offset 0 length 17408
* schannel: encrypted data got 728
* schannel: encrypted data buffer: offset 728 length 17408
* schannel: decrypted data length: 512
* schannel: decrypted data added: 512
* schannel: decrypted data cached: offset 512 length 16384
* schannel: encrypted data length: 187
* schannel: encrypted data cached: offset 187 length 17408
* schannel: decrypted data length: 127
* schannel: decrypted data added: 127
* schannel: decrypted data cached: offset 639 length 16384
* schannel: encrypted data length: 31
* schannel: encrypted data cached: offset 31 length 17408
* schannel: server closed the connection
* schannel: schannel_recv cleanup
* schannel: decrypted data returned 639
* schannel: decrypted data buffer: offset 0 length 16384
< HTTP/1.1 303 See Other
< Date: Tue, 31 Oct 2017 13:05:15 GMT
< Server: Splunkd
< Strict-Transport-Security: max-age=15768000
< Expires: Thu, 26 Oct 1978 00:00:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, max-age=0
< Content-Type: text/xml; charset=UTF-8
< X-Content-Type-Options: nosniff
< Content-Length: 127
< Location: https://SPLUNKWEB/en-US/account/login?return_to=%2Fen-US%2Fsplunkd%2F__raw%2Fservices%2Fsearch%2Fjob...
< Vary: Cookie
< X-Frame-Options: SAMEORIGIN
< Connection: close
<
* Curl_http_done: called premature == 0
* Closing connection 0
* schannel: shutting down SSL/TLS connection with SPLUNKWEB port 443
* schannel: clear security context handle
* Issue another request to this URL: 'https://SPLUNKWEB/en-US/account/login?return_to=%2Fen-US%2Fsplunkd%2F__raw%2Fservices%2Fsearch%2Fjo
bs'
* Disables POST, goes with GET
* Hostname SPLUNKWEB was found in DNS cache
*   Trying X.X.X.X...
* TCP_NODELAY set
* Connected to SPLUNKWEB (X.X.X.X) port 443 (#1)
* schannel: SSL/TLS connection with SPLUNKWEB port 443 (step 1/3)
* schannel: re-using existing credential handle
* schannel: incremented credential handle refcount = 2
* schannel: sending initial handshake data: sending 221 bytes...
* schannel: sent initial handshake data: sent 221 bytes
* schannel: SSL/TLS connection with SPLUNKWEB port 443 (step 2/3)
* schannel: encrypted data buffer: offset 137 length 4096
* schannel: sending next handshake data: sending 51 bytes...
* schannel: SSL/TLS handshake complete
* schannel: SSL/TLS connection with SPLUNKWEB port 443 (step 3/3)
* Server auth using Basic with user 'USER'
> POST /en-US/account/login?return_to=%2Fen-US%2Fsplunkd%2F__raw%2Fservices%2Fsearch%2Fjobs HTTP/1.1
> Host: SPLUNKWEB
> Authorization: Basic BASE64AUTH
> User-Agent: curl/7.52.1
> Accept: */*
>
* schannel: client wants to read 16384 bytes
* schannel: encdata_buffer resized 17408
* schannel: encrypted data buffer: offset 0 length 17408
* schannel: encrypted data got 480
* schannel: encrypted data buffer: offset 480 length 17408
* schannel: decrypted data length: 379
* schannel: decrypted data added: 379
* schannel: decrypted data cached: offset 379 length 16384
* schannel: encrypted data length: 72
* schannel: encrypted data cached: offset 72 length 17408
* schannel: decrypted data length: 12
* schannel: decrypted data added: 12
* schannel: decrypted data cached: offset 391 length 16384
* schannel: encrypted data length: 31
* schannel: encrypted data cached: offset 31 length 17408
* schannel: server closed the connection
* schannel: schannel_recv cleanup
* schannel: decrypted data returned 391
* schannel: decrypted data buffer: offset 0 length 16384
< HTTP/1.1 401 Unauthorized
< Date: Tue, 31 Oct 2017 13:05:16 GMT
< Server: Splunkd
< Strict-Transport-Security: max-age=15768000
< Expires: Thu, 26 Oct 1978 00:00:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, max-age=0
< Content-Type: application/json; charset=UTF-8
< X-Content-Type-Options: nosniff
< Content-Length: 12
< X-Frame-Options: SAMEORIGIN
< Connection: close
<
{"status":1}* Curl_http_done: called premature == 0
* Closing connection 1
* schannel: shutting down SSL/TLS connection with SPLUNKWEB port 443
* schannel: clear security context handle
0 Karma

SplunkTrust
SplunkTrust

Have you tried adding auth to your post? In the form of an authorization header or user/pass on the curl command?

0 Karma

New Member

Yes but it does not change the results

0 Karma

New Member

I have tried with both sessionKey auth and basic auth none of them helps. Actuallys it use the Single Sign On to login the splunk web then it say that it disable POST but goes at GET

0 Karma

SplunkTrust
SplunkTrust

It looks like you’re posting to the web port. Have you tried using the mgmt port and rest api instead?

0 Karma

New Member

Yes POST request are working on the management port but I would like to use the web port using /splunkd/__raw/... in order to take advantage of the SSO scripted auth. In the web .conf this endpoint authorize GET and POST methods.

0 Karma