Monitoring Splunk

POST to /splunkd/__raw endpoint returns CSRF validation failed



I have a confusing issue with the Splunk endpoint POST method execution. Every time I'm trying to send a GET request to my custom endpoint, everything works as expected. But when I am sending a POST request with the identical parameters and Cookies, the API returns a 401 status code and says: "Splunk cannot authenticate the request. CSRF validation failed.". I have no clue why this happens because the CSRF Token in the request is still the same token as the token in the GET request. Moreover the response of the GET request returns the identical CSRF cookie which is afterwards used again by the POST method.

Using the API over the management port on 8089 works perfectly fine with GET and POST requests. This happens just with the /splunkd/__raw webservice endpoint.

Does anyone have an idea about what is causing this error?
Thanks in advance!


POST /en-GB/splunkd/__raw/services/test_endpoint HTTP/1.1
Host: localhost:8000
Content-Length: 10
Origin: http://localhost:8000
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36
Content-Type: text/plain;charset=UTF-8
Accept: */*
Referer: http://localhost:8000/en-GB/splunkd/__raw/services/test_endpoint?payload=Hello
Accept-Encoding: gzip, deflate
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: splunkweb_csrf_token_8000=XXX; session_id_8000=XXX; token_key=XXX; experience_id=XXX; splunkd_8000=XXX
Connection: close

Hello POST


HTTP/1.1 401 Splunk cannot authenticate the request. CSRF validation failed.
Date: Fri, 25 May 2018 07:02:13 GMT
Content-Type: text/xml; charset=UTF-8
X-Content-Type-Options: nosniff
Content-Length: 181
Vary: Cookie
Connection: Close
X-Frame-Options: SAMEORIGIN
Server: Splunkd

<?xml version="1.0" encoding="UTF-8"?>
    <msg type="ERROR">Splunk cannot authenticate the request. CSRF validation failed.</msg>

Path Finder

When logged into the Splunk Web GUI, Splunk sets a cookie called token_key.

When POSTing, PATCHing, DELETEing, etc. to a custom endpoint, you need to pass this token back by including the following headers in your request:

X-Requested-With = XMLHttpRequest
X-Splunk-Form-Key = <the value of the token_key cookie>

This isn't documented anywhere, as far as I could tell.


Thank you so much this was driving me crazy!

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!