Knowledge Management

Splunk 6 Workflow Actions using HTTP POST not sending arguments

dolohov
Explorer

I have a simple workflow action using HTTP POST that used to work under Splunk 5, and now does not. This appears to be true of all workflow actions using HTTP POST. To reduce the possibility that I typoed or otherwise mixed something up, I created a new workflow action following the directions in the Splunk 6 documentation, reproduced their example configuration exactly (except with a local URL that I could safely POST to without interfering with anyone), made sure that the $variables$ had values, and saved it.

I'm building this in the Fields>>Workflow Actions page within Splunk. Here's the output in workflow_actions.conf (with extra spaces added because otherwise the lines run together here).

[HostTraffic]

display_location = both

fields = host

label = Traffic to $host$

link.method = post

link.postargs.1.key = clientip

link.postargs.1.value = 192.168.1.1

link.postargs.2.key = serverip

link.postargs.2.value = 192.168.1.2

link.target = blank

link.uri = http://192.168.100.1/test.php

type = link

(This is a simplified version of my original workflow action, which used $host$ as the values instead of constant strings.)

The workflow action appears, and opens the specified page when I click it, but all the POST arguments are omitted. I inspected the actual POST requests in Wireshark: the arguments are not there at all. This is true even when the arguments are constants rather than $variables$. I have restarted Splunk after adding the workflow actions, to no avail, and I'm not seeing anything relevant in the documentation.

From where I sit, this looks like a bug, but it's possible I'm doing something wrong here. Any suggestions would be welcome.

mzax
Splunk Employee
Splunk Employee

Bug. SPL-81428 assigned.

Sqig
Path Finder

I see this was added as a bug in March of '14. With 6.2 out now, I still see this behavior. Has this not been addressed yet?

0 Karma

dolohov
Explorer

Posted as an edit to the original post. I've tried several variants of this, and in all cases the link opens but the POST arguments are missing. Thanks!

0 Karma

araitz
Splunk Employee
Splunk Employee

I paged old man docyes for you. He asked if you could post your config for the workflow action so we could try to reproduce this issue.

0 Karma

dolohov
Explorer

To expand on the previous comment: I see lots of references to loading internal Splunk pages, and those internal URLs all have "CSRF" embedded in them. I don't see any other messages regarding CSRF.

0 Karma

dolohov
Explorer

Quite a few of them, but I'm not sure what I'm looking for in them. None of them seem to refer to the external URL being called.

0 Karma

araitz
Splunk Employee
Splunk Employee

Do you see any messages in index=_internal regarding CSRF?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...