Splunk Enterprise

Why does Login works in curl but not REST API?

MattP66
New Member

I'm using Splunk enterprise Version: 8.2.7 I'm trying to get a session key then run a search through the rest api.

Requesting the login through curl works:
C:\Users\A0493110>curl -k https://lflvsplunksh01:8089/services/auth/login --data-urlencode username=a0493110 --data-urlencode password=mypassword
<response>
<sessionKey>7AH24BVGEB^64CzSgJrZWyI4kMAASmOMC395npKhZEwxG0g3Leh6Kpm5uxRTLWoSz07gTgbPqqlcHCJAomHMIRniHO1FgY2kimJBYYirzq1WJZQm</sessionKey>
<messages>
<msg code=""></msg>
</messages>
</response>

But requesting the login using Insomnia (a rest API endpoint tester) the login Fails. I am sending the login credentials in json as described in the splunk tutorial.

<?xml version="1.0" encoding="UTF-8"?>
<response>
<messages>
<msg type="WARN">Login failed</msg>
</messages>
</response>

* Preparing request to https://lflvsplunksh01:8089/services/auth/login
* Current time is 2023-08-08T22:23:10.266Z
* Enable automatic URL encoding
* Using default HTTP version
* Disable SSL validation
* Uses proxy env variable no_proxy == 'localhost,127.0.0.1,.micron.com,addmmsi'
* Too old connection (18958 seconds), disconnect it
* Connection 7 seems to be dead!
* Closing connection 7
* TLSv1.2 (OUT), TLS header, Unknown (21):
* TLSv1.2 (OUT), TLS alert, decode error (562):
* Hostname in DNS cache was stale, zapped
* Trying 10.192.88.222:8089...
* Connected to lflvsplunksh01 (10.192.88.222) port 8089 (#8)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=SplunkServerDefaultCert; O=SplunkUser
* start date: Apr 19 22:58:51 2023 GMT
* expire date: Apr 18 22:58:51 2026 GMT
* issuer: C=US; ST=CA; L=San Francisco; O=Splunk; CN=SplunkCommonCA; emailAddress=support@splunk.com
* SSL certificate verify result: self-signed certificate in certificate chain (19), continuing anyway.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):

> POST /services/auth/login HTTP/1.1
> Host: lflvsplunksh01:8089
> User-Agent: insomnia/2023.4.0
> Content-Type: application/json
> Accept: */*
> Content-Length: 52

| {
| "username": "a0493110",
| "password": "mypassword"
| }

* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Mark bundle as not supporting multiuse

< HTTP/1.1 400 Bad Request
< Date: Tue, 08 Aug 2023 22:23:10 GMT
< Expires: Thu, 26 Oct 1978 00:00:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, max-age=0
< Content-Type: text/xml; charset=UTF-8
< X-Content-Type-Options: nosniff
< Content-Length: 129
< Connection: Keep-Alive
< X-Frame-Options: SAMEORIGIN
< Server: Splunkd


* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Received 129 B chunk
* Connection #8 to host lflvsplunksh01 left intact


Any help would be greatly appreciated.  I want to get it working first in Insomnia then in a .net client I am writing.

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...