Splunk Dev

Why does rest API post returns all search in my angular app (It seems the search is not getting parsed)?

Pat
Path Finder

So I have an angular app that compiles and it runs and I get a response but it is sending me all the data.  I have compared it to a post man call where I put nothing in the body and it seems to be the same so I think the issue is that the post is not sending in the body data.  I have tried to send it both in the body and using the params feature.  One complication is that when I console log params I don't ge the specifics like I do with the body.  Ok so im not going to bother putting in the header as it has the token in it and the call does go through so it seems like the preflight and everything is working.  For the body approach I am using:

const body=JSON.stringify({
search: 'search index=dct_claims_dev dct_tenantID=10061675a sourcetype=\"mscs:azure:eventhub\" \"body.ApplicationName\"=* correlation_id!=null log_level=\"*\" \"body.@timestamp\"=\"*\" message=\"*\" \"body.Data\"=\"*\" | rex field=message \"(?i)(?<Message>.+?)(stack|\\Z)\" | rex field=body.Data \"(?i)(?<Data>.+?)(stack|\\Z)\" | rename \"body.@timestamp\" as \"Timestamp\", \"body.ApplicationName\" as Source, \"correlation_id\" as \"CorrelationId\", \"log_level\" as \"LogLevel\" | table Timestamp dct_tenantID Source dest CorrelationId LogLevel Message Data | sort - Timestamp',
earliest_time: '-5m',
latest_time: 'now',
adhoc_search_level: 'fast'
});
this.http.post('/api', body, { responseType: 'text', headers: headers }).subscribe(response => {
this.apiResult = response;
console.log(body);
console.log(response);

and the console log of body (remember response is just everything) is:

{"search":"search index=dct_claims_dev dct_tenantID=10061675a sourcetype=\"mscs:azure:eventhub\" \"body.ApplicationName\"=* correlation_id!=null log_level=\"*\" \"body.@timestamp\"=\"*\" message=\"*\" \"body.Data\"=\"*\" | rex field=message \"(?i)(?<Message>.+?)(stack|\\Z)\" | rex field=body.Data \"(?i)(?<Data>.+?)(stack|\\Z)\" | rename \"body.@timestamp\" as \"Timestamp\", \"body.ApplicationName\" as Source, \"correlation_id\" as \"CorrelationId\", \"log_level\" as \"LogLevel\" | table Timestamp dct_tenantID Source dest CorrelationId LogLevel Message Data | sort - Timestamp","earliest_time":"-5m","latest_time":"now","adhoc_search_level":"fast"}

While the params version I have is:

const params = new HttpParams()
.set('search', 'search index=dct_claims_dev')
.set('earliest_time', '-5m')
.set('latest_time', 'now')
.set('adhoc_search_level', 'fast');

const options = {
headers: headers,
params: params
};

this.http.post('/api', null, { responseType: 'text', headers: headers, params: params }).subscribe(response => {
this.apiResult = response;
console.log(params);
console.log(headers);
console.log(response);
});

and the console log of headers and params (I put in headers because I wanted to compare the output to params):

HttpParams {updates: null, cloneFrom: null, encoder: HttpUrlEncodingCodec, map: Map(4)}
app.component.ts:33 HttpHeaders {normalizedNames: Map(2), lazyUpdate: null, lazyInit: null, headers: Map(2)}

 

Any ideas

Labels (2)
0 Karma
1 Solution

Pat
Path Finder

I got this figured out so going to answer my own question here.  Turns out the params version will work if its put into body and if its concatenated.  So its the same params one but take params out of options and replace the null body with params.toString().  Hope this helps somebody.

View solution in original post

0 Karma

Pat
Path Finder

I got this figured out so going to answer my own question here.  Turns out the params version will work if its put into body and if its concatenated.  So its the same params one but take params out of options and replace the null body with params.toString().  Hope this helps somebody.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...