Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SCOM - Web App Availability Monitor - Returning 406 Not Acceptable

slierninja
Communicator
‎11-26-2013 02:19 PM

Trying to setup Web App monitor in SCOM 2012 to let us know when splunk is unavailable - however splunk web is returning HTTP 406. Why doesn't it return a HTTP 200?

HTTP Request

GET /en-US/account/login HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: GZIP
User-Agent: System Center 2012 - Operations Manager 7.0.9538.0
Connection: Keep-Alive

HTTP Response

HTTP/1.1 406 Not Acceptable
Cache-Control: no-store, max-age=0, no-cache, must-revalidate
Date: Tue, 26 Nov 2013 22:11:11 GMT
Content-Length: 2613
Content-Type: text/html
Server: CherryPy/3.1.2
Set-Cookie: cval=885818388
Set-Cookie: session_id_8000=63b46afefe78777f9e574f080f797ecd8039f922; expires=Wed, 27 Nov 2013 22:11:11 GMT; httponly; Path=/
Set-Cookie: uid=8478E32F-AE41-400A-8A9E-F81D664645EC; expires=Sun, 25 Nov 2018 22:11:11 GMT
X-Frame-Options: SAMEORIGIN

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<!-- 
    This is a static HTML string template to render errors.  To edit this
    template, see appserver/mrsparkle/lib/error.py. 
-->

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:splunk="http://www.splunk.com/xhtml-extensions/1.0" xml:lang="en">
<head>
    <meta http-equiv="content-type" content="text/html; charset=utf-8" />
    <link rel="shortcut icon" href="/en-US/static/@182037.40/img/favicon.ico" />
    <title>identity, gzip - Splunk</title>
    <style>

        *       { margin: 0; padding: 0; }
        body    { font-family: helvetica, arial, sans-serif; color: #333; padding: 20px; }
        p,pre   { margin-bottom: 1em; font-size: .8em; }
        .status { font-size: .7em; color: #999; margin-bottom: 1em; }
        .msg    { margin-bottom: 1em; font-size: 1.4em;}
        pre     { font-family: Monaco,Courier Bold,Courier New,monospace; font-size: .7em;background-color: #eee;  padding: 5px;}
        #toggle { font-size: .8em; margin-bottom: 1em; }
        .byline { color: #555; }
        .byline span { font-weight: bold; line-height: 1.4em; }
        hr      { height: 1px; background-color: #ccc; border: 0; margin: 20px 0 10px; }
        h2      { font-size: 1em; margin-bottom: 1em; }
        table   { border-collapse: collapse; }
        td      { padding: 2px; }
        td.k    { font-family: helvetica, arial, sans-serif; font-weight: bold; }
        #debug  { display: none; }

        #crashes { margin: 20px 0; padding: 10px; border: 1px solid #800; }
        #crashes dt { font-size: 12px; margin-bottom: 5px; }
        #crashes dd { white-space: pre; background: #f2f2f2; padding: 10px; margin-left: 20px; display: none; font: 10px Monaco,Courier Bold,Courier New,monospace; }

    </style>
    <script>
        function toggle(what) {
            what = document.getElementById(what);
            if (what.style.display == 'block') {
                what.style.display = 'none';
            } else {
                what.style.display = 'block';
            }
        }
    </script>
</head>
<body>
    <p class="status">406 Not Acceptable</p>
    <p class="homelink"><a href="/">Return to Splunk home page</a></p>
    <h1 class="msg">identity, gzip</h1>


    <br />
    <br />

    <hr />
    <p class="byline">You are using <span>localhost:8000</span>, which is connected to splunkd <span>@182037</span> at <span>https://127.0.0.1:8089</span> on <span>Tue Nov 26 16:11:11 2013</span>.</p>

</body>
</html>
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

slierninja
Communicator
‎11-27-2013 09:51 AM

I fixed this issue by changing the HTTP Header value that SCOM sends for Accept-Encoding from GZIP to gzip. I guess Splunk chooses not to allow GZIP in CAPS. Splunk Web does respond with gzip content when using lowercase Accept-Encoding.

From W3C..."If an Accept-Encoding field is present in a request, and if the server cannot send a response which is acceptable according to the Accept-Encoding header, then the server SHOULD send an error response with the 406 (Not Acceptable) status code."

Splunk should handle GZIP just like IIS does, but I guess this is a change request.

HTTP Header Value (Accept-Encoding: gzip)

alt text

View solution in original post

Reply
Solved! Jump to solution

delink
Communicator
‎11-27-2013 11:54 AM

According to RFC 2616, Section 3.5, content coding values should be treated as case-insensitive, so this is definitely a bug in splunkweb.

Reply
Solved! Jump to solution
Solution

slierninja
Communicator
‎11-27-2013 09:51 AM

I fixed this issue by changing the HTTP Header value that SCOM sends for Accept-Encoding from GZIP to gzip. I guess Splunk chooses not to allow GZIP in CAPS. Splunk Web does respond with gzip content when using lowercase Accept-Encoding.

From W3C..."If an Accept-Encoding field is present in a request, and if the server cannot send a response which is acceptable according to the Accept-Encoding header, then the server SHOULD send an error response with the 406 (Not Acceptable) status code."

Splunk should handle GZIP just like IIS does, but I guess this is a change request.

HTTP Header Value (Accept-Encoding: gzip)

alt text

Reply
Get Updates on the Splunk Community!

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...