Solved: Re: SCOM - Web App Availability Monitor - Returnin...

slierninja · ‎11-26-2013

Trying to setup Web App monitor in SCOM 2012 to let us know when splunk is unavailable - however splunk web is returning HTTP 406. Why doesn't it return a HTTP 200?

HTTP Request

GET /en-US/account/login HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: GZIP
User-Agent: System Center 2012 - Operations Manager 7.0.9538.0
Connection: Keep-Alive

HTTP Response

HTTP/1.1 406 Not Acceptable
Cache-Control: no-store, max-age=0, no-cache, must-revalidate
Date: Tue, 26 Nov 2013 22:11:11 GMT
Content-Length: 2613
Content-Type: text/html
Server: CherryPy/3.1.2
Set-Cookie: cval=885818388
Set-Cookie: session_id_8000=63b46afefe78777f9e574f080f797ecd8039f922; expires=Wed, 27 Nov 2013 22:11:11 GMT; httponly; Path=/
Set-Cookie: uid=8478E32F-AE41-400A-8A9E-F81D664645EC; expires=Sun, 25 Nov 2018 22:11:11 GMT
X-Frame-Options: SAMEORIGIN

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<!-- 
    This is a static HTML string template to render errors.  To edit this
    template, see appserver/mrsparkle/lib/error.py. 
-->

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:splunk="http://www.splunk.com/xhtml-extensions/1.0" xml:lang="en">
<head>
    <meta http-equiv="content-type" content="text/html; charset=utf-8" />
    <link rel="shortcut icon" href="/en-US/static/@182037.40/img/favicon.ico" />
    <title>identity, gzip - Splunk</title>
    <style>

        *       { margin: 0; padding: 0; }
        body    { font-family: helvetica, arial, sans-serif; color: #333; padding: 20px; }
        p,pre   { margin-bottom: 1em; font-size: .8em; }
        .status { font-size: .7em; color: #999; margin-bottom: 1em; }
        .msg    { margin-bottom: 1em; font-size: 1.4em;}
        pre     { font-family: Monaco,Courier Bold,Courier New,monospace; font-size: .7em;background-color: #eee;  padding: 5px;}
        #toggle { font-size: .8em; margin-bottom: 1em; }
        .byline { color: #555; }
        .byline span { font-weight: bold; line-height: 1.4em; }
        hr      { height: 1px; background-color: #ccc; border: 0; margin: 20px 0 10px; }
        h2      { font-size: 1em; margin-bottom: 1em; }
        table   { border-collapse: collapse; }
        td      { padding: 2px; }
        td.k    { font-family: helvetica, arial, sans-serif; font-weight: bold; }
        #debug  { display: none; }

        #crashes { margin: 20px 0; padding: 10px; border: 1px solid #800; }
        #crashes dt { font-size: 12px; margin-bottom: 5px; }
        #crashes dd { white-space: pre; background: #f2f2f2; padding: 10px; margin-left: 20px; display: none; font: 10px Monaco,Courier Bold,Courier New,monospace; }

    </style>
    <script>
        function toggle(what) {
            what = document.getElementById(what);
            if (what.style.display == 'block') {
                what.style.display = 'none';
            } else {
                what.style.display = 'block';
            }
        }
    </script>
</head>
<body>
    <p class="status">406 Not Acceptable</p>
    <p class="homelink"><a href="/">Return to Splunk home page</a></p>
    <h1 class="msg">identity, gzip</h1>


    <br />
    <br />

    <hr />
    <p class="byline">You are using <span>localhost:8000</span>, which is connected to splunkd <span>@182037</span> at <span>https://127.0.0.1:8089</span> on <span>Tue Nov 26 16:11:11 2013</span>.</p>

</body>
</html>

slierninja · ‎11-27-2013

I fixed this issue by changing the HTTP Header value that SCOM sends for Accept-Encoding from GZIP to gzip. I guess Splunk chooses not to allow GZIP in CAPS. Splunk Web does respond with gzip content when using lowercase Accept-Encoding.

From W3C..."If an Accept-Encoding field is present in a request, and if the server cannot send a response which is acceptable according to the Accept-Encoding header, then the server SHOULD send an error response with the 406 (Not Acceptable) status code."

Splunk should handle GZIP just like IIS does, but I guess this is a change request.

HTTP Header Value (Accept-Encoding: gzip)

View solution in original post

delink · ‎11-27-2013

According to RFC 2616, Section 3.5, content coding values should be treated as case-insensitive, so this is definitely a bug in splunkweb.

slierninja · ‎11-27-2013

I fixed this issue by changing the HTTP Header value that SCOM sends for Accept-Encoding from GZIP to gzip. I guess Splunk chooses not to allow GZIP in CAPS. Splunk Web does respond with gzip content when using lowercase Accept-Encoding.

From W3C..."If an Accept-Encoding field is present in a request, and if the server cannot send a response which is acceptable according to the Accept-Encoding header, then the server SHOULD send an error response with the 406 (Not Acceptable) status code."

Splunk should handle GZIP just like IIS does, but I guess this is a change request.

SCOM - Web App Availability Monitor - Returning 406 Not Acceptable

HTTP Request

HTTP Response

HTTP Header Value (Accept-Encoding: gzip)

HTTP Header Value (Accept-Encoding: gzip)

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...