All Apps and Add-ons

Splunk Stream: REST API tokens

mathiask
Communicator

We are trying to use the Splunk Stream REST API
https://docs.splunk.com/Documentation/StreamApp/7.0.1/DeployStreamApp/SplunkAppforStreamRESTAPI

We are able to see the configs

curl -k https://localhost:8000/en-US/custom/splunk_app_stream/streams/udp
curl -X GET -H "X-Requested-With: XMLHttpRequest" -H "Content-Type: application/json" -k https://localhost:8000/en-US/custom/splunk_app_stream/streams/udp

{"sourcetype": "stream:udp", "modifiedBy": "admin", "protocolName": "UDP", "fields": [{"term": "flow.bytes", "desc": "The total number of bytes transferred", "enabled": true, "name": "bytes", "aggType": "value"}, {"term": "flow.c-ip", "desc": "Client IP Address", "enabled": true, "name": "src_ip", "aggType": "value"}, {"term": "flow.c-mac", "desc": "Client packets MAC address in hexadecimal format", "enabled": true, "name": "src_mac", "aggType": "value"}, {"term": "flow.c-port", "desc": "Client port number", "enabled": true, "name": "src_port", "aggType": "value"}, {"term": "flow.cs-bytes", "desc": "The number of bytes sent from client to server", "enabled": true, "name": "bytes_in", "aggType": "value"}, {"term": "flow.cs-content", "desc": "All raw payload content sent from client to server", "enabled": false, "name": "src_content", "aggType": "value"}, {"term": "flow.cs-packets", "desc": "The total number of packets sent from client to server", "enabled": true, "name": "packets_in", "aggType": "value"}, {"term": "flow.interface-name", "desc": "Name of network interface", "enabled": false, "name": "network_interface", "aggType": "value"}, {"term": "flow.hostname", "desc": "Hostname where flow was captured", "enabled": false, "name": "capture_hostname", "aggType": "value"}, {"term": "flow.protocol", "desc": "Level 7 protocol name (http, ftp, etc.)", "enabled": true, "name": "app", "aggType": "value"}, {"term": "flow.s-ip", "desc": "Server IP Address", "enabled": true, "name": "dest_ip", "aggType": "value"}, {"term": "flow.s-mac", "desc": "Server packets MAC address in hexadecimal format", "enabled": true, "name": "dest_mac", "aggType": "value"}, {"term": "flow.s-port", "desc": "Server port number", "enabled": true, "name": "dest_port", "aggType": "value"}, {"term": "flow.sc-bytes", "desc": "The number of bytes sent from server to client", "enabled": true, "name": "bytes_out", "aggType": "value"}, {"term": "flow.sc-content", "desc": "All raw payload content sent from server to client", "enabled": false, "name": "dest_content", "aggType": "value"}, {"term": "flow.sc-packets", "desc": "The total number of packets sent from server to client", "enabled": true, "name": "packets_out", "aggType": "value"}, {"term": "flow.time-taken", "desc": "Number of microseconds that it took to complete a flow event, from the end user's perspective", "enabled": true, "name": "time_taken", "aggType": "value"}, {"term": "flow.vlan-id", "desc": "VLAN ID from 802.1Q header", "enabled": false, "name": "vlan_id", "aggType": "value"}, {"term": "flow.flow-id", "desc": "Flow Id", "enabled": true, "name": "flow_id", "aggType": "value"}, {"term": "flow.protocol-stack", "desc": "Protocol stack of flow", "enabled": true, "name": "protocol_stack", "aggType": "value"}], "_key": "udp", "streamType": "event", "aggregated": false, "app": "Stream", "filters": {"matchAllComparisons": true, "comparisons": []}, "statsOnly": false, "extras": {"eventType": "flow.udp-event"}, "_user": "nobody", "index": null, "category": "Networking", "isReferenceStream": true, "id": "udp", "name": "UDP Flow Events", "enabled": true}[

But we cannot figure out how to edit them

curl -X PUT -H "Cookie: splunkd_8000=PRlg_PB8THrM8tZYOebt6K6^ooApy73FJRvJgY2RliptRtPWTeEUuUmArMi9fia5Vpw2eP7HVsENKnw2rag6HhPqCDDJVT52YMjEA0GIM_4opmWNJkVrtsCnqJ8wOTWlVvmLIcC; splunkweb_csrf_token_8000=6914067146718907469" -H "X-Splunk-Form-Key: 6914067146718907469" -H "X-Requested-With: XMLHttpRequest" -H "Content-Type: application/json" -k http://localhost:8000/en-US/custom/splunk_app_stream/streams/udp/enable

We could not figure out how do we valid header tokens?
It is mentioned that we should be able to get this information of the GET request, but all we get is

HTTP/1.1 200 OK
Date: Wed, 22 Feb 2017 10:42:16 GMT
Content-Type: text/json;charset=utf-8
X-Content-Type-Options: nosniff
Content-Length: 3383
Vary: Cookie
Connection: Keep-Alive
X-Frame-Options: SAMEORIGIN
Set-Cookie: session_id_8000=bda9573630ba5e19964c235345a9b53c8d449e96; expires=Thu, 23 Feb 2017 10:42:16 GMT; httponly; Path=/; secure
Server: Splunkd

How do we get the necessary information to set the following parameters?

-H "Cookie: splunkd_8000=PRlg_PB8THrM8tZYOebt6K6^ooApy73FJRvJgY2RliptRtPWTeEUuUmArMi9fia5Vpw2eP7HVsENKnw2rag6HhPqCDDJVT52YMjEA0GIM_4opmWNJkVrtsCnqJ8wOTWlVvmLIcC; splunkweb_csrf_token_8000=6914067146718907469"
Tags (3)
0 Karma
1 Solution

ajayaraman_splu
Splunk Employee
Splunk Employee

Hello
There are two steps involved in getting all the tokens.

If you’re using curl, follow the below steps —
(If you’re using POSTMAN or similar services the splunkd and csrf token are extracted and used automatically by the application as long as there is a active web session. The can be found in the cookies tab)

  1. RUN curl -c - -k http://localhost:8000/en-US/account/login to collect the “cval” set-cookie value

EG:
localhost FALSE /en-US/account/ FALSE 0 cval 1850823966
localhost FALSE /en-US/account FALSE 1645485022 splunkweb_uid B0016BF4-2725-475F-9CEF-968387C83900

  1. RUN curl -c - -k http://localhost:8000/en-US/account/login -H "Cookie: cval=1850823966" -d username= -d password= -d cval=1850823966 to retrieve the other tokens

EG:

HttpOnly_localhost FALSE / FALSE 1487808793 splunkd_8000 UDS7UqFb7Am8aHEOftYtluORlpiKom2BHf5P5H_34x2^7unZJy5xNJiNGlHNsrtoHnw6x18KKVDpCz0Qs3vgEFYFCcKsSYqpkJEtQjIsDguZNGsC4NuOXithfgjYkC

localhost FALSE / FALSE 1645485193 splunkweb_csrf_token_8000 12523149765193777622

NOTE: The splunkweb_csrf_token_8000 is the X-Splunk-Form-Key as well.

View solution in original post

ajayaraman_splu
Splunk Employee
Splunk Employee

Hello
There are two steps involved in getting all the tokens.

If you’re using curl, follow the below steps —
(If you’re using POSTMAN or similar services the splunkd and csrf token are extracted and used automatically by the application as long as there is a active web session. The can be found in the cookies tab)

  1. RUN curl -c - -k http://localhost:8000/en-US/account/login to collect the “cval” set-cookie value

EG:
localhost FALSE /en-US/account/ FALSE 0 cval 1850823966
localhost FALSE /en-US/account FALSE 1645485022 splunkweb_uid B0016BF4-2725-475F-9CEF-968387C83900

  1. RUN curl -c - -k http://localhost:8000/en-US/account/login -H "Cookie: cval=1850823966" -d username= -d password= -d cval=1850823966 to retrieve the other tokens

EG:

HttpOnly_localhost FALSE / FALSE 1487808793 splunkd_8000 UDS7UqFb7Am8aHEOftYtluORlpiKom2BHf5P5H_34x2^7unZJy5xNJiNGlHNsrtoHnw6x18KKVDpCz0Qs3vgEFYFCcKsSYqpkJEtQjIsDguZNGsC4NuOXithfgjYkC

localhost FALSE / FALSE 1645485193 splunkweb_csrf_token_8000 12523149765193777622

NOTE: The splunkweb_csrf_token_8000 is the X-Splunk-Form-Key as well.

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...