We are using splunk 6.3.6
I try to perform POST through /splunkd/__raw/services/search/jobs
curl -kvsL -X POST --cookie-jar curl_cookie.jar https://splunk_web_url/en-US/splunkd/__raw/services/search/jobs/export -d search="search index=_internal | stats avg(load_average)"
HTTP/1.1 401 Unauthorized
Date: Tue, 31 Oct 2017 08:39:44 GMT
Server: Splunkd
Strict-Transport-Security: max-age=15768000
Expires: Thu, 26 Oct 1978 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Content-Type: application/json; charset=UTF-8
X-Content-Type-Options: nosniff
Content-Length: 12
X-Frame-Options: SAMEORIGIN
Connection: close
{"status":1}* Curl_http_done: called premature == 0
It works for GET queries as:
curl -kvsL -X GET --cookie-jar curl_cookie.jar https://splunk_web_url.net/en-US/splunkd/__raw/services/search/jobs
in btool web list we can see that both GET and POST are allowed for this endpoint:
[expose:search_jobs]
methods = GET,POST
pattern = search/jobs
detailed about curl responses:
curl -kvsL -u USER:PASSWORD -X POST --cookie-jar curl_cookie.jar https://SPLUNKWEB/en-US/splunkd/__raw/service
s/search/jobs -d search="search index=_internal | stats avg(load_average)"
* Trying x.x.x.x...
* TCP_NODELAY set
* Connected to SPLUNKWEB (x.x.x.x) port 443 (#0)
* schannel: SSL/TLS connection with SPLUNKWEB port 443 (step 1/3)
* schannel: disabled server certificate revocation checks
* schannel: verifyhost setting prevents Schannel from comparing the supplied target name with the subject names in server certificates. Also disables SNI
.
* schannel: sending initial handshake data: sending 189 bytes...
* schannel: sent initial handshake data: sent 189 bytes
* schannel: SSL/TLS connection with SPLUNKWEB port 443 (step 2/3)
* schannel: failed to receive handshake, need more data
* schannel: SSL/TLS connection with SPLUNKWEB port 443 (step 2/3)
* schannel: encrypted data buffer: offset 4096 length 4096
* schannel: encrypted data length: 4006
* schannel: encrypted data buffer: offset 4006 length 4096
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with SPLUNKWEB port 443 (step 2/3)
* schannel: encrypted data buffer: offset 5030 length 5030
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with SPLUNKWEB port 443 (step 2/3)
* schannel: encrypted data buffer: offset 6054 length 6054
* schannel: encrypted data length: 136
* schannel: encrypted data buffer: offset 136 length 6054
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with SPLUNKWEB port 443 (step 2/3)
* schannel: encrypted data buffer: offset 1188 length 6054
* schannel: sending next handshake data: sending 2298 bytes...
* schannel: SSL/TLS connection with SPLUNKWEB port 443 (step 2/3)
* schannel: encrypted data buffer: offset 51 length 6054
* schannel: SSL/TLS handshake complete
* schannel: SSL/TLS connection with SPLUNKWEB port 443 (step 3/3)
* schannel: stored credential handle in session cache
* Server auth using Basic with user 'USER'
> POST /en-US/splunkd/__raw/services/search/jobs HTTP/1.1
> Host: SPLUNKWEB
> Authorization: Basic BASE64AUTH
> User-Agent: curl/7.52.1
> Accept: */*
> Content-Length: 55
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 55 out of 55 bytes
* schannel: client wants to read 16384 bytes
* schannel: encdata_buffer resized 17408
* schannel: encrypted data buffer: offset 0 length 17408
* schannel: encrypted data got 728
* schannel: encrypted data buffer: offset 728 length 17408
* schannel: decrypted data length: 512
* schannel: decrypted data added: 512
* schannel: decrypted data cached: offset 512 length 16384
* schannel: encrypted data length: 187
* schannel: encrypted data cached: offset 187 length 17408
* schannel: decrypted data length: 127
* schannel: decrypted data added: 127
* schannel: decrypted data cached: offset 639 length 16384
* schannel: encrypted data length: 31
* schannel: encrypted data cached: offset 31 length 17408
* schannel: server closed the connection
* schannel: schannel_recv cleanup
* schannel: decrypted data returned 639
* schannel: decrypted data buffer: offset 0 length 16384
< HTTP/1.1 303 See Other
< Date: Tue, 31 Oct 2017 13:05:15 GMT
< Server: Splunkd
< Strict-Transport-Security: max-age=15768000
< Expires: Thu, 26 Oct 1978 00:00:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, max-age=0
< Content-Type: text/xml; charset=UTF-8
< X-Content-Type-Options: nosniff
< Content-Length: 127
< Location: https://SPLUNKWEB/en-US/account/login?return_to=%2Fen-US%2Fsplunkd%2F__raw%2Fservices%2Fsearch%2Fjobs
< Vary: Cookie
< X-Frame-Options: SAMEORIGIN
< Connection: close
<
* Curl_http_done: called premature == 0
* Closing connection 0
* schannel: shutting down SSL/TLS connection with SPLUNKWEB port 443
* schannel: clear security context handle
* Issue another request to this URL: 'https://SPLUNKWEB/en-US/account/login?return_to=%2Fen-US%2Fsplunkd%2F__raw%2Fservices%2Fsearch%2Fjo
bs'
* Disables POST, goes with GET
* Hostname SPLUNKWEB was found in DNS cache
* Trying X.X.X.X...
* TCP_NODELAY set
* Connected to SPLUNKWEB (X.X.X.X) port 443 (#1)
* schannel: SSL/TLS connection with SPLUNKWEB port 443 (step 1/3)
* schannel: re-using existing credential handle
* schannel: incremented credential handle refcount = 2
* schannel: sending initial handshake data: sending 221 bytes...
* schannel: sent initial handshake data: sent 221 bytes
* schannel: SSL/TLS connection with SPLUNKWEB port 443 (step 2/3)
* schannel: encrypted data buffer: offset 137 length 4096
* schannel: sending next handshake data: sending 51 bytes...
* schannel: SSL/TLS handshake complete
* schannel: SSL/TLS connection with SPLUNKWEB port 443 (step 3/3)
* Server auth using Basic with user 'USER'
> POST /en-US/account/login?return_to=%2Fen-US%2Fsplunkd%2F__raw%2Fservices%2Fsearch%2Fjobs HTTP/1.1
> Host: SPLUNKWEB
> Authorization: Basic BASE64AUTH
> User-Agent: curl/7.52.1
> Accept: */*
>
* schannel: client wants to read 16384 bytes
* schannel: encdata_buffer resized 17408
* schannel: encrypted data buffer: offset 0 length 17408
* schannel: encrypted data got 480
* schannel: encrypted data buffer: offset 480 length 17408
* schannel: decrypted data length: 379
* schannel: decrypted data added: 379
* schannel: decrypted data cached: offset 379 length 16384
* schannel: encrypted data length: 72
* schannel: encrypted data cached: offset 72 length 17408
* schannel: decrypted data length: 12
* schannel: decrypted data added: 12
* schannel: decrypted data cached: offset 391 length 16384
* schannel: encrypted data length: 31
* schannel: encrypted data cached: offset 31 length 17408
* schannel: server closed the connection
* schannel: schannel_recv cleanup
* schannel: decrypted data returned 391
* schannel: decrypted data buffer: offset 0 length 16384
< HTTP/1.1 401 Unauthorized
< Date: Tue, 31 Oct 2017 13:05:16 GMT
< Server: Splunkd
< Strict-Transport-Security: max-age=15768000
< Expires: Thu, 26 Oct 1978 00:00:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, max-age=0
< Content-Type: application/json; charset=UTF-8
< X-Content-Type-Options: nosniff
< Content-Length: 12
< X-Frame-Options: SAMEORIGIN
< Connection: close
<
{"status":1}* Curl_http_done: called premature == 0
* Closing connection 1
* schannel: shutting down SSL/TLS connection with SPLUNKWEB port 443
* schannel: clear security context handle
... View more