I have a simple workflow action using HTTP POST that used to work under Splunk 5, and now does not. This appears to be true of all workflow actions using HTTP POST. To reduce the possibility that I typoed or otherwise mixed something up, I created a new workflow action following the directions in the Splunk 6 documentation, reproduced their example configuration exactly (except with a local URL that I could safely POST to without interfering with anyone), made sure that the $variables$ had values, and saved it.

I'm building this in the Fields>>Workflow Actions page within Splunk. Here's the output in workflow_actions.conf (with extra spaces added because otherwise the lines run together here).

[HostTraffic]

display_location = both

fields = host

label = Traffic to $host$

link.method = post

link.postargs.1.key = clientip

link.postargs.1.value = 192.168.1.1

link.postargs.2.key = serverip

link.postargs.2.value = 192.168.1.2

link.target = blank

link.uri = http://192.168.100.1/test.php

type = link

(This is a simplified version of my original workflow action, which used $host$ as the values instead of constant strings.)

The workflow action appears, and opens the specified page when I click it, but all the POST arguments are omitted. I inspected the actual POST requests in Wireshark: the arguments are not there at all. This is true even when the arguments are constants rather than $variables$. I have restarted Splunk after adding the workflow actions, to no avail, and I'm not seeing anything relevant in the documentation.

From where I sit, this looks like a bug, but it's possible I'm doing something wrong here. Any suggestions would be welcome.