Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk 6 Workflow Actions using HTTP POST not sending arguments

dolohov
Explorer
‎11-05-2013 10:10 AM

I have a simple workflow action using HTTP POST that used to work under Splunk 5, and now does not. This appears to be true of all workflow actions using HTTP POST. To reduce the possibility that I typoed or otherwise mixed something up, I created a new workflow action following the directions in the Splunk 6 documentation, reproduced their example configuration exactly (except with a local URL that I could safely POST to without interfering with anyone), made sure that the $variables$ had values, and saved it.

I'm building this in the Fields>>Workflow Actions page within Splunk. Here's the output in workflow_actions.conf (with extra spaces added because otherwise the lines run together here).

[HostTraffic]

display_location = both

fields = host

label = Traffic to $host$

link.method = post

link.postargs.1.key = clientip

link.postargs.1.value = 192.168.1.1

link.postargs.2.key = serverip

link.postargs.2.value = 192.168.1.2

link.target = blank

link.uri = http://192.168.100.1/test.php

type = link

(This is a simplified version of my original workflow action, which used $host$ as the values instead of constant strings.)

The workflow action appears, and opens the specified page when I click it, but all the POST arguments are omitted. I inspected the actual POST requests in Wireshark: the arguments are not there at all. This is true even when the arguments are constants rather than $variables$. I have restarted Splunk after adding the workflow actions, to no avail, and I'm not seeing anything relevant in the documentation.

From where I sit, this looks like a bug, but it's possible I'm doing something wrong here. Any suggestions would be welcome.

Reply

mzax
Splunk Employee
Splunk Employee
‎03-06-2014 03:10 PM

Bug. SPL-81428 assigned.

Reply

Sqig
Path Finder
‎11-03-2014 12:25 PM

I see this was added as a bug in March of '14. With 6.2 out now, I still see this behavior. Has this not been addressed yet?

0 Karma
Reply

dolohov
Explorer
‎11-07-2013 09:49 AM

Posted as an edit to the original post. I've tried several variants of this, and in all cases the link opens but the POST arguments are missing. Thanks!

0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎11-07-2013 09:19 AM

I paged old man docyes for you. He asked if you could post your config for the workflow action so we could try to reproduce this issue.

0 Karma
Reply

dolohov
Explorer
‎11-07-2013 06:55 AM

To expand on the previous comment: I see lots of references to loading internal Splunk pages, and those internal URLs all have "CSRF" embedded in them. I don't see any other messages regarding CSRF.

0 Karma
Reply

dolohov
Explorer
‎11-06-2013 08:17 AM

Quite a few of them, but I'm not sure what I'm looking for in them. None of them seem to refer to the external URL being called.

0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎11-06-2013 08:10 AM

Do you see any messages in index=_internal regarding CSRF?

0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...