We are trying to use the Splunk Stream REST API
https://docs.splunk.com/Documentation/StreamApp/7.0.1/DeployStreamApp/SplunkAppforStreamRESTAPI
We are able to see the configs
curl -k https://localhost:8000/en-US/custom/splunk_app_stream/streams/udp
curl -X GET -H "X-Requested-With: XMLHttpRequest" -H "Content-Type: application/json" -k https://localhost:8000/en-US/custom/splunk_app_stream/streams/udp
{"sourcetype": "stream:udp", "modifiedBy": "admin", "protocolName": "UDP", "fields": [{"term": "flow.bytes", "desc": "The total number of bytes transferred", "enabled": true, "name": "bytes", "aggType": "value"}, {"term": "flow.c-ip", "desc": "Client IP Address", "enabled": true, "name": "src_ip", "aggType": "value"}, {"term": "flow.c-mac", "desc": "Client packets MAC address in hexadecimal format", "enabled": true, "name": "src_mac", "aggType": "value"}, {"term": "flow.c-port", "desc": "Client port number", "enabled": true, "name": "src_port", "aggType": "value"}, {"term": "flow.cs-bytes", "desc": "The number of bytes sent from client to server", "enabled": true, "name": "bytes_in", "aggType": "value"}, {"term": "flow.cs-content", "desc": "All raw payload content sent from client to server", "enabled": false, "name": "src_content", "aggType": "value"}, {"term": "flow.cs-packets", "desc": "The total number of packets sent from client to server", "enabled": true, "name": "packets_in", "aggType": "value"}, {"term": "flow.interface-name", "desc": "Name of network interface", "enabled": false, "name": "network_interface", "aggType": "value"}, {"term": "flow.hostname", "desc": "Hostname where flow was captured", "enabled": false, "name": "capture_hostname", "aggType": "value"}, {"term": "flow.protocol", "desc": "Level 7 protocol name (http, ftp, etc.)", "enabled": true, "name": "app", "aggType": "value"}, {"term": "flow.s-ip", "desc": "Server IP Address", "enabled": true, "name": "dest_ip", "aggType": "value"}, {"term": "flow.s-mac", "desc": "Server packets MAC address in hexadecimal format", "enabled": true, "name": "dest_mac", "aggType": "value"}, {"term": "flow.s-port", "desc": "Server port number", "enabled": true, "name": "dest_port", "aggType": "value"}, {"term": "flow.sc-bytes", "desc": "The number of bytes sent from server to client", "enabled": true, "name": "bytes_out", "aggType": "value"}, {"term": "flow.sc-content", "desc": "All raw payload content sent from server to client", "enabled": false, "name": "dest_content", "aggType": "value"}, {"term": "flow.sc-packets", "desc": "The total number of packets sent from server to client", "enabled": true, "name": "packets_out", "aggType": "value"}, {"term": "flow.time-taken", "desc": "Number of microseconds that it took to complete a flow event, from the end user's perspective", "enabled": true, "name": "time_taken", "aggType": "value"}, {"term": "flow.vlan-id", "desc": "VLAN ID from 802.1Q header", "enabled": false, "name": "vlan_id", "aggType": "value"}, {"term": "flow.flow-id", "desc": "Flow Id", "enabled": true, "name": "flow_id", "aggType": "value"}, {"term": "flow.protocol-stack", "desc": "Protocol stack of flow", "enabled": true, "name": "protocol_stack", "aggType": "value"}], "_key": "udp", "streamType": "event", "aggregated": false, "app": "Stream", "filters": {"matchAllComparisons": true, "comparisons": []}, "statsOnly": false, "extras": {"eventType": "flow.udp-event"}, "_user": "nobody", "index": null, "category": "Networking", "isReferenceStream": true, "id": "udp", "name": "UDP Flow Events", "enabled": true}[
But we cannot figure out how to edit them
curl -X PUT -H "Cookie: splunkd_8000=PRlg_PB8THrM8tZYOebt6K6^ooApy73FJRvJgY2RliptRtPWTeEUuUmArMi9fia5Vpw2eP7HVsENKnw2rag6HhPqCDDJVT52YMjEA0GIM_4opmWNJkVrtsCnqJ8wOTWlVvmLIcC; splunkweb_csrf_token_8000=6914067146718907469" -H "X-Splunk-Form-Key: 6914067146718907469" -H "X-Requested-With: XMLHttpRequest" -H "Content-Type: application/json" -k http://localhost:8000/en-US/custom/splunk_app_stream/streams/udp/enable
We could not figure out how do we valid header tokens?
It is mentioned that we should be able to get this information of the GET request, but all we get is
HTTP/1.1 200 OK
Date: Wed, 22 Feb 2017 10:42:16 GMT
Content-Type: text/json;charset=utf-8
X-Content-Type-Options: nosniff
Content-Length: 3383
Vary: Cookie
Connection: Keep-Alive
X-Frame-Options: SAMEORIGIN
Set-Cookie: session_id_8000=bda9573630ba5e19964c235345a9b53c8d449e96; expires=Thu, 23 Feb 2017 10:42:16 GMT; httponly; Path=/; secure
Server: Splunkd
How do we get the necessary information to set the following parameters?
-H "Cookie: splunkd_8000=PRlg_PB8THrM8tZYOebt6K6^ooApy73FJRvJgY2RliptRtPWTeEUuUmArMi9fia5Vpw2eP7HVsENKnw2rag6HhPqCDDJVT52YMjEA0GIM_4opmWNJkVrtsCnqJ8wOTWlVvmLIcC; splunkweb_csrf_token_8000=6914067146718907469"
... View more