Security

Why is curl search giving an error after upgrading Splunk to 7.2.4?

jmallorquin
Builder

Hi,
After upgrade splunk to 7.2.4 one curl search that was working perfectly in version 6.5.3 doesn't work anymore.
The result is
curl: (35) TCP connection reset by peer

I have try using -k in the call, also indicate the ssl version --tlsv1.2 also update openssl. But none of them have solved the problem.

Any idea how to solve this problem. The thing is that even a simple query return the same message.

thanks in advance

0 Karma
1 Solution

nickhills
Ultra Champion

Right!!!!

What is happening is your curl request is being proxied to your proxy server.
When the proxy tries to resolve the connection to localhost, it tries to connect to 8089 on itself - clearly this will not work, so the connection is dropped.

try:
curl --noproxy "*" -k -u admin:xxxxxxx --data-urlencode 'search=|savedsearch xxxxxxxx' -d output_mode=csv

If my comment helps, please give it a thumbs up!

View solution in original post

nickhills
Ultra Champion

Right!!!!

What is happening is your curl request is being proxied to your proxy server.
When the proxy tries to resolve the connection to localhost, it tries to connect to 8089 on itself - clearly this will not work, so the connection is dropped.

try:
curl --noproxy "*" -k -u admin:xxxxxxx --data-urlencode 'search=|savedsearch xxxxxxxx' -d output_mode=csv

If my comment helps, please give it a thumbs up!

nickhills
Ultra Champion
0 Karma

jmallorquin
Builder

curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.36 zlib/1.2.7 libidn/1.28 libssh2/1.4.3

But still have the same problem

0 Karma

nickhills
Ultra Champion

Try curl -k -v https://localhost:8089 and post the top of the response (remove anything sensitive)

If my comment helps, please give it a thumbs up!
0 Karma

jmallorquin
Builder

CONNECT localhost:8089 HTTP/1.1
Host: localhost:8089
User-Agent: curl/7.29.0
Proxy-Connection: Keep-Alive
< HTTP/1.1 200 Connection established <
* Proxy replied OK to CONNECT request
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* NSS error -5961 (PR_CONNECT_RESET_ERROR)
* TCP connection reset by peer
* Closing connection 0 curl: (35) TCP connection reset by peer

0 Karma

nickhills
Ultra Champion

That looks very much like a firewall or something is dumping the connection.
Any chance you have a local FW?

If my comment helps, please give it a thumbs up!
0 Karma

jmallorquin
Builder

The firewall is disabled

systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)

0 Karma

nickhills
Ultra Champion

Wait - cant believe i missed this:
can you run echo $https_proxy
and maybe echo $http_proxy

If my comment helps, please give it a thumbs up!
0 Karma

jmallorquin
Builder

echo $https_proxy
http://x.x.x.x:8080/

echo $http_proxy
http://x.x.x.x:8080/

0 Karma

nickhills
Ultra Champion

Are you performing this curl from Splunk to a remote webservice, or from another system to Splunk?
It might help if you can post the full curl statement (remove anything sensitive)

If my comment helps, please give it a thumbs up!
0 Karma

jmallorquin
Builder

curl -k -u admin:xxxxxxx --data-urlencode 'search=|savedsearch xxxxxxxx' -d output_mode=csv https://localhost:8089/servicesNS/admin/xxxxxxx/search/jobs/export

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...