Expected behaviour
TA-Webtools, when posting a JSON body, posts successfully.
Actual behaviour & Potential PBCAK
When posting a JSON body to the data field via the curl command in Splunk, the JSON body is truncated. While a successful post is made, the JSON body that is presented to Splunk's REST API is only the first characters before the first JSON internal double quote. I did attempt to use both single, double, and triple slashes to escape the quotes, all which result in malformed eval commands.
For example:
"{\"entity_rules\": [{\"rule_items\":
Presents the Splunk API with the payload:
{
SPL Context
This is the end of the command where we are assembling the string that will be used by the curl command
| eval curl_command=curl_command+" "+"data=" +"{\"entity_rules\": [{\"rule_items\": [{\"field_type\": \"info\", \"field\": \"parentserviceinfo\", \"rule_type\": \"matches\", \"value\": \"deletemeparentservice-dc100\"}], \"rule_condition\": \"AND\"}], \"permissions\": {\"read\": true, \"group\": {\"read\": true, \"delete\": true, \"write\": true}, \"user\": \"admin\", \"delete\": true, \"write\": true}, \"object_type\": \"service\", \"sec_grp\": \"default_itsi_security_group\"}"
| map search="| curl method=post uri=$curl_command$ user=admin pass=OMITTED debug=t"
Steps to reproduce
Install latest TA-webtools distribution
Open the TA-webtools permission to allow use of curl to other apps
Switch to ITSI app
Verify you can use curl within ITSI search
Use the curl command, with post argument, and pass a JSON body to the data curl parameter that contains no quotes
Proposed Fix
While this is not definite, it has been suggested in the Requests Library Documentation that you can encode the payload as JSON using the JSON library's function:
json.dump(param)
While this may not be the complete fix, I think it may be worth time investigating.
Screenshots
Configuration
TA-Webtools Version: Version 1.30
Splunk version: Splunk 7.0.2 (build 03bbabbd5c0f)
In context of Splunk App and version: ITSI, 3.01
OS: Centos 7.4 x86_64
Browser: chrome
... View more