TA-Webtools curl Authentication

ejread · ‎12-04-2019

Using the Webtools app here - https://splunkbase.splunk.com/app/4146/#/details

I have a working curl command from the CLI but receiving a 400 response from the Splunk search command… Curious how it works and have a few questions -

Is there a way to see the CURL command generated by Splunk when the search is executed? Is this logged anywhere?
How do the “user=username” and “password=password” parameters from the search command compare to “curl -u" option with "user:password"?

For example, using curl directly (works) -

curl \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-u "user:password" \
-d '{"uuid":"xxxx","inputs":{"Area":"failure","AssignmentGroup":"monitoring platforms","Description0":"SPLUNK Test","Impact":"4","Subarea":"error message","Urgency":"3","AffectedCI":"Test","OriginalText":"SPLUNK Test","Application":"xxx","xx_Node":"xxxxxx","Category":"testing","SourceCI":"xxxx-001","doCreateAlert":"yourdoCreateAlertValue"}}' \
http://hostname:8080/url/path

Using the curl search command (not working) -

| makeresults 
| eval header="{\"Content-Type\":\"application/json\", \"Accept\":\"application/json\"}" 
| eval data="{\"uuid\":\"xxxx\",\"inputs\":{\"Area\":\"failure\",\"AssignmentGroup\":\"monitoring platforms\",\"Description0\":\"SPLUNK Test\",\"Impact\":\"4\",\"Subarea\":\"error message\",\"Urgency\":\"3\",\"AffectedCI\":\"Test\",\"OriginalText\":\"SPLUNK Test\",\"Application\":\"xxx\",\"xx_Node\":\"xxxxxx\",\"Category\":\"testing\",\"SourceCI\":\"xxxx-001\",\"doCreateAlert\":\"yourdoCreateAlertValue\"}}"
| curl method=post uri=http://hostname:8080/url/path user=user pass=password debug=true datafield=data headerfield=header

jkat54 · ‎12-04-2019

Really looks like it should have worked.

What happens if you add count=1 to your makeresults?

ejread · ‎12-05-2019

Unfortunately no difference when adding count=1.

Also noticed in the search results table, there is a slightly different formatting with a "u". I feel like some formatting in the data payload section may be the problem...

data field -

{"uuid":"xxxx","inputs":

curl_data_payload field -

{u'uuid': u'xxxx', u'inputs':

jkat54 · ‎12-05-2019

That's what a json array looks like when printed to string. The "u" that is.

It should be fine like that. I think maybe the nested json is causing the issue. Maybe you need to put square brackets around the entire data object to show it's an array...

ejread · ‎12-06-2019

I tried square brackets, no luck. Also tried with a non-nested JSON object, and it works through curl but not through the search command (returns a 400). Its seems like a formatting difference in the payload between what is sent with "curl -d" and "datafield=data". Any way to log what is sent in the POST so it can be compared to curl?

jkat54 · ‎12-06-2019

On your search head, you can run tcpdump on whatever port your api is on and see the outbound queries.

debug=true is supposed to show whats being sent in curl_* fields.

jkat54 · ‎12-04-2019

Behind the scenes it's requests lib, a popular web requests library written in python. It's not actually a curl command.

User/pass gets base64 encoded and passed in the Authentication Header.

TA-Webtools curl Authentication

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk