Knowledge Management

Splunk 6 Workflow Actions using HTTP POST not sending arguments

dolohov
Explorer

I have a simple workflow action using HTTP POST that used to work under Splunk 5, and now does not. This appears to be true of all workflow actions using HTTP POST. To reduce the possibility that I typoed or otherwise mixed something up, I created a new workflow action following the directions in the Splunk 6 documentation, reproduced their example configuration exactly (except with a local URL that I could safely POST to without interfering with anyone), made sure that the $variables$ had values, and saved it.

I'm building this in the Fields>>Workflow Actions page within Splunk. Here's the output in workflow_actions.conf (with extra spaces added because otherwise the lines run together here).

[HostTraffic]

display_location = both

fields = host

label = Traffic to $host$

link.method = post

link.postargs.1.key = clientip

link.postargs.1.value = 192.168.1.1

link.postargs.2.key = serverip

link.postargs.2.value = 192.168.1.2

link.target = blank

link.uri = http://192.168.100.1/test.php

type = link

(This is a simplified version of my original workflow action, which used $host$ as the values instead of constant strings.)

The workflow action appears, and opens the specified page when I click it, but all the POST arguments are omitted. I inspected the actual POST requests in Wireshark: the arguments are not there at all. This is true even when the arguments are constants rather than $variables$. I have restarted Splunk after adding the workflow actions, to no avail, and I'm not seeing anything relevant in the documentation.

From where I sit, this looks like a bug, but it's possible I'm doing something wrong here. Any suggestions would be welcome.

mzax
Splunk Employee
Splunk Employee

Bug. SPL-81428 assigned.

Sqig
Path Finder

I see this was added as a bug in March of '14. With 6.2 out now, I still see this behavior. Has this not been addressed yet?

0 Karma

dolohov
Explorer

Posted as an edit to the original post. I've tried several variants of this, and in all cases the link opens but the POST arguments are missing. Thanks!

0 Karma

araitz
Splunk Employee
Splunk Employee

I paged old man docyes for you. He asked if you could post your config for the workflow action so we could try to reproduce this issue.

0 Karma

dolohov
Explorer

To expand on the previous comment: I see lots of references to loading internal Splunk pages, and those internal URLs all have "CSRF" embedded in them. I don't see any other messages regarding CSRF.

0 Karma

dolohov
Explorer

Quite a few of them, but I'm not sure what I'm looking for in them. None of them seem to refer to the external URL being called.

0 Karma

araitz
Splunk Employee
Splunk Employee

Do you see any messages in index=_internal regarding CSRF?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...