Security

Why is curl search giving an error after upgrading Splunk to 7.2.4?

jmallorquin
Builder

Hi,
After upgrade splunk to 7.2.4 one curl search that was working perfectly in version 6.5.3 doesn't work anymore.
The result is
curl: (35) TCP connection reset by peer

I have try using -k in the call, also indicate the ssl version --tlsv1.2 also update openssl. But none of them have solved the problem.

Any idea how to solve this problem. The thing is that even a simple query return the same message.

thanks in advance

0 Karma
1 Solution

nickhills
Ultra Champion

Right!!!!

What is happening is your curl request is being proxied to your proxy server.
When the proxy tries to resolve the connection to localhost, it tries to connect to 8089 on itself - clearly this will not work, so the connection is dropped.

try:
curl --noproxy "*" -k -u admin:xxxxxxx --data-urlencode 'search=|savedsearch xxxxxxxx' -d output_mode=csv

If my comment helps, please give it a thumbs up!

View solution in original post

nickhills
Ultra Champion

Right!!!!

What is happening is your curl request is being proxied to your proxy server.
When the proxy tries to resolve the connection to localhost, it tries to connect to 8089 on itself - clearly this will not work, so the connection is dropped.

try:
curl --noproxy "*" -k -u admin:xxxxxxx --data-urlencode 'search=|savedsearch xxxxxxxx' -d output_mode=csv

If my comment helps, please give it a thumbs up!

nickhills
Ultra Champion
0 Karma

jmallorquin
Builder

curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.36 zlib/1.2.7 libidn/1.28 libssh2/1.4.3

But still have the same problem

0 Karma

nickhills
Ultra Champion

Try curl -k -v https://localhost:8089 and post the top of the response (remove anything sensitive)

If my comment helps, please give it a thumbs up!
0 Karma

jmallorquin
Builder

CONNECT localhost:8089 HTTP/1.1
Host: localhost:8089
User-Agent: curl/7.29.0
Proxy-Connection: Keep-Alive
< HTTP/1.1 200 Connection established <
* Proxy replied OK to CONNECT request
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* NSS error -5961 (PR_CONNECT_RESET_ERROR)
* TCP connection reset by peer
* Closing connection 0 curl: (35) TCP connection reset by peer

0 Karma

nickhills
Ultra Champion

That looks very much like a firewall or something is dumping the connection.
Any chance you have a local FW?

If my comment helps, please give it a thumbs up!
0 Karma

jmallorquin
Builder

The firewall is disabled

systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)

0 Karma

nickhills
Ultra Champion

Wait - cant believe i missed this:
can you run echo $https_proxy
and maybe echo $http_proxy

If my comment helps, please give it a thumbs up!
0 Karma

jmallorquin
Builder

echo $https_proxy
http://x.x.x.x:8080/

echo $http_proxy
http://x.x.x.x:8080/

0 Karma

nickhills
Ultra Champion

Are you performing this curl from Splunk to a remote webservice, or from another system to Splunk?
It might help if you can post the full curl statement (remove anything sensitive)

If my comment helps, please give it a thumbs up!
0 Karma

jmallorquin
Builder

curl -k -u admin:xxxxxxx --data-urlencode 'search=|savedsearch xxxxxxxx' -d output_mode=csv https://localhost:8089/servicesNS/admin/xxxxxxx/search/jobs/export

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...