Getting Data In
Highlighted

Not able to authenticate Splunk REST API with Postman

Communicator

I'm able to confirm this works for me curl command is working for me. It returns a session ID.
curl -k https://splunkdomain.local:8089/services/auth/login --data-urlencode username={username} --data-urlencode password={password}

Using the same end point in Postman, it complains "Login failed". Can someone please assist? alt text

Highlighted

Re: Not able to authenticate Splunk REST API with Postman

Legend

@spammenot66, following is what I had tried for HEC using JSON Data packet. I had to use http on my local, however, https should work if cURL worked fine for you.

https://wiki.splunk.com/User_talk:Niketnilay#Topic_5:_HTTP_Event_Collector_.28HEC.29_in_Windows_usin...

0 Karma
Highlighted

Re: Not able to authenticate Splunk REST API with Postman

Engager

Im stuck on the same issue, but if you look closely its not an AUTH falied, it is really a 400 Bad Request error, I'v been trying different ways to call the API on Postman but so far I haven't been able to get it working, but it works on cURL and using Requests on Python, so its definitively something related to the message formatting that is causing this.

0 Karma
Highlighted

Re: Not able to authenticate Splunk REST API with Postman

Engager

So this is what I did to solve it... I noticed that the cURL generated by postman was not working and getting the exact same error you are seeing on the UI, this cURL command looks something like:

Spoiler
curl --location --request POST -k 'https://{{host}}:8089/services/auth/login' \
--data-urlencode 'username={{user}}' \
--data-urlencode 'password={{password}}'

So What I did was:

  • Go into Postman and click IMPORT
  • On the import Dialog go to the RAW Text tab and paste this:
    • Spoiler
      curl -k https://{{host}}:8089/services/auth/login --data-urlencode username={{user}} --data-urlencode password={{pass}}

And hit IMPORT, this will generate a working request. If you look at the cURL generated by it the only difference is that it actually sets the Content-Type header which seems to so the trick. It now looks something like this:

 

Spoiler
curl --location --request POST -k 'https://{{host}}:8089/services/auth/login' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'username={{user}}' \
--data-urlencode 'password={{pass}}'

Trying this curl command on the terminal will also work.

 

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.