Splunk Enterprise

Splunk custom rest API endpoint - get the body of http request in a POST request

eliav2
Explorer

On a Splunk custom rest API endpoint, I need to get the body of http POST request on the executed python script handling this endpoint.

the full rest.py handler script:

 

# rest.py

from server import serverless_request
from pathlib import Path
from splunk.persistconn.application import PersistentServerConnectionApplication
import json

class App(PersistentServerConnectionApplication):
    def __init__(self, _command_line, _command_arg):
        log('init connection', _command_line, _command_arg)
        super(PersistentServerConnectionApplication, self).__init__()

    # Handle a syncronous from splunkd.
    def handle(self, in_string):
        """
        Called for a simple synchronous request.
         in_string: request data passed in
        @rtype: string or dict
        @return: String to return in response.  If a dict was passed in,
                 it will automatically be JSON encoded before being returned.
        """
        log(self)
        log(dir(self))
        request = json.loads(in_string.decode())
        log("request info", request)
        log('now proccessing request, hopefully at would be executed by flask')
        path_info = request['path_info'] if "path_info" in request else '/'
        method = request['method']
        log("request", request)
        log('sending flask', {"path_info": path_info, method: "method"})
        response = serverless_request(path_info, method)
        payload = response.data
        if type(payload) is bytes:
            payload = payload.decode()
        log('return payload from flask', payload)
        return {'payload': payload, 'status': 200}

    def handleStream(self, handle, in_string):
        """
        For future use
        """
        raise NotImplementedError(
            "PersistentServerConnectionApplication.handleStream")

    def done(self):
        """
        Virtual method which can be optionally overridden to receive a
        callback after the request completes.
        """
        pass

 

when sending a POST request over the custom endpoint with the body 

 

{"isTimeSeriesCollection":true,"collectionName":"333","timeField":"_time","metaField":""}

 

 I would expect the only argument 'in_string' passed to the handler function of `App.handle` to contain information about the body request, but the logs show that the value does not contain any of it:

 

request info {'output_mode': 'xml', 'output_mode_explicit': False, 'server': {'rest_uri': 'https://127.0.0.1:8089', 'hostname': 'ELIAVS-PC', 'servername': 'Eliavs-PC', 'guid': 'CD4B2374-0104-42C8-A069-F0115A5035DE'}, 'restmap': {'name': 'script:backend', 'conf': {'handler': 'application.App', 'match': '/backend', 'script': 'rest.py', 'scripttype': 'persist'}}, 'path_info': 'new_collection/tsdb', 'query': [], 'connection': {'src_ip': '127.0.0.1', 'ssl': False, 'listening_port': 12211}, 'session': {'user': 'eliav2', 'authtoken': 'ICvMPKZyW3OiN1FV5WE^3^YGOdqGvkpRax7DNB_C6pzoWS53mhj9yEYJH_UwrsJZEK4MH3gUAQh_DNiv0BNOsf4JkVJcjBh5yL1ni1n7LURwQ8a8c6vGvB__qfuTCcs_UIanwMQVmF'}, 'rest_path': '/backend/new_collection/tsdb', 'lang': 'en-US', 'method': 'POST', 'ns': {'app': 'darkeagle'}, 'form': []}

 

 

so how can I access the body of the json request?

I followed https://dev.splunk.com/enterprise/docs/devtools/customrestendpoints/customrestscript and various other sources to get to this point, the docs are lacking basic information.

 

Labels (1)
0 Karma

RaviNandasana
Engager

To get the payload in the  request info you need add below lines in restmaf.conf

restmaf.conf

 

[script:upload_email_list]
match                 = /data/email_sender/upload_email_list
script                = upload_email_list.py
scripttype            = persist
python.version        = python3
handler               = upload_email_list.UploadEmailHandler
passPayload           = true   // Used to see payload in api call
output_modes          = json   // output in json formate
passHttpHeaders       = true   // Used to see headers in api call
passHttpCookies       = true   // Used to see cookies in api call

 

 

Output: request info

 

request info {'output_mode': 'xml', 'output_mode_explicit': False, ....
....
'payload':'{"fileContent":"ravinandasana1998@gmail.com,ravisheart123@gmail.com"}' 
.....
}

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...