Install app, restart splunk, profit!
If you want to use passwords in conjunction with the curl SPL command, you will want to install this app as well: https://splunkbase.splunk.com/app/4013/. It will allow you to store the passwords in the splunk password store (encrypted) and then use those credentials with the 'splunkpasswdname' and 'splunkpasswdcontext' curl command options.
[optional:<generating_search>] | curl [choice: uri=uri OR urifield=urifield] [optional: method=<DELETE|GET|HEAD|PATCH|POST|PUT clientcert="/path/to/client/cert.pem" certkey="/path/to/client/cert.key" datafield=field_name data="data" headers=<JSON_STRING> headerfield=<JSON_FIELD> user="user" pass="password" debug=[true|false] splunkauth=[true|false] splunkpasswdname="username_in_passwordsconf" splunkpasswdcontext="appcontext" timeout=float sleep=timeInSecsBetweenCurls]
-
GET data from uri, specifing user, pass, and very short timeout:
| curl method=get uri=https://localhost:8089/services/admin user=admin pass=changeme timeout=0.001 | table curl*
-
GET data from uri, passing existing session key:
| curl method=get uri=https://localhost:8089/services/admin splunkauth=true | table curl*
-
POST data to uri, specifying data="{\"name\":\"Test\",\"value\":\"Hello World\",\"severity\":\"warn\"}":
| makeresults count=1
| eval data="{\"name\":\"Test\",\"value\":\"Hello World\",\"severity\":\"warn\"}"
| curl method=post uri=https://localhost:8089/services/messages/new splunkauth=true debug=true datafield=data
| table curl*
-
POST data to uri, using a data field that exists in the Splunk search pipeline:
| makeresults count=1
| eval message="{\"name\":\"restart_link\",\"value\":\"Hello World\",\"severity\":\"warn\"}"
| curl method=post uri=https://localhost:8089/services/messages/new datafield=message splunkauth=true
| table curl*
-
Deleting fired alerts for search named "Test Alert":
| rest /servicesNS/admin/search/alerts/fired_alerts/Test%20Alert
| fields title
| head 10
| map search="
| curl method=delete uri="https://localhost:8089/servicesNS/admin/search/alerts/fired_alerts/$title$" user=admin pass=changeme
| table *
"
-
Getting search results from google:
| curl method=get uri=https://google.com/search?q=splunk debug=t
-
Getting multiple search results from google using data in the pipe:
| makeresults count=2
| eval data="q=".random()
| curl method=get uri="https://google.com/search" datafield=data debug=true
-
Setting a Custom Header & Test Data:
| makeresults count=1
| eval header="{\"content-type\":\"application/json\"}"
| eval data="{\"test data\":\"DATA\"}"
| curl method=post uri=https://localhost:8089/services user=admin pass=changeme debug=true headerfield=header datafield=data
-
Call localhost but retrieve the password from the password store for username example (requires https://splunkbase.splunk.com/app/4013/)
| curl method=get uri=https://localhost:8089/services user=example splunkpasswdname=example
-
Using the urifield option
| makeresults count=1
| eval uri="https://localhost:8089/services"
| curl method=get urifield=uri
-
Getting list of vulnerabilities and parsing the results into something useable
| curl uri="https://advisory.splunk.com/feed.xml"
| fields curl_message
| spath input=curl_message output=link path=rss.channel.item.link
| mvexpand link
| fields link
| appendcols [
| curl uri="https://advisory.splunk.com/feed.xml"
| fields curl_message
| spath input=curl_message output=title path=rss.channel.item.title
| mvexpand title
| fields title
]
| appendcols [
| curl uri="https://advisory.splunk.com/feed.xml"
| fields curl_message
| spath input=curl_message output=pubDate path=rss.channel.item.pubDate
| mvexpand pubDate
| fields pubDate
]
| appendcols [
| curl uri="https://advisory.splunk.com/feed.xml"
| fields curl_message
| spath input=curl_message output=description path=rss.channel.item.description
| mvexpand description
| fields description
]
| eval pubDateE=floor(strptime(pubDate,"%a, %d %b %Y %T %z"))
| map maxsearches=50 search="
| makeresults count=1
| fields - _time
| eval uri=$link$
| curl urifield=uri
| fields curl_message uri
| spath input=curl_message path=html.head.meta.meta.meta.meta.meta.meta.meta.meta.meta.link.body.div.div.div.article.section.div.div.div.table.tbody.tr.td output=affected
| fields - curl_message
| mvexpand affected
| eval product=case(
match(affected,\"Splunk Enterprise\"), \"Splunk Enterprise\",
match(affected,\"Splunk Cloud\"), \"Splunk Cloud\",
match(affected,\"Splunk Web\"), \"Splunk Web\",
match(affected,\"Universal Forwarder\"), \"Universal Forwarder\",
1=1, \"Undetected\"
)
| filldown product
| rex field=affected \"^(?<lowerversions>\d+.\d+.\d+)\s\"
| rex field=affected \"(\d+.\d+.\d+)\sto\s(?<upperversions>\d+.\d+.\d+)\"
| where isnotnull(lowerversions)
| eval upperversions=if(isnull(upperversions),lowerversions,upperversions)
| eval lowerversions=if(match(affected,\"and [Llower|Bbelow]\"), lowerversions.\" and below\", lowerversions)
"
<generating_search> | urlencode <field_1> <field_2> <field_n> ... | table <field_1> <field_2> <field_n> ...
Version 3.1.2 -
- Bug Fix
Version 3.1.1
-Fixed 'data' variable when used with streaming capability
-Removed ability to specify user and pass with the command, use splunkpasswdname & splunkpasswdcontext OR token=<token> OR splunkauth=true instead.
Version 3.1.0:
-Slimified
-Updates for friendlier self service cloud installs
-New ability to use Splunk Auth Tokens
Release Version 3.0.2:
- Enforcing HTTPS strings for URI
- Additional error handling and messaging
Version 2.0.2
-Added certificate support to curl command - https://github.com/bentleymi/ta-webtools/issues/8
Version 2.0.2
-Added sleep parameter - https://github.com/bentleymi/ta-webtools/issues/8
Version 2.0.0
-Ported from AOB2.x to AOB3.x
-Deprecated UDP on Modular Input
-Increased Timeout to 60 from 2 on Modular Input
Version 1.3.0
- Added password store support for SPL curl command - Thanks @Gareth Anderson for the code
- Added 'urlfield' support as per request
Version 1.2.6:
- Fixed bug with POST & DELETE methods reported here: https://answers.splunk.com/answers/775943/huawei-esight-open-api-login-authentication-fails.html
- Many thanks to @infrastructure_Services_vwag_r_han_volkswagen_de!
Version 1.2.4:
- Removed UDP functionalities to pass new appinspect rules
- Fixed "bad operand" issue reported here: https://answers.splunk.com/answers/738867/web-tools-add-on-ta-webtools-curl-command-throws-a.html - Thanks @suser2019
- Cleaned up streaming logic
Release Version 1.2.3:
- Added HEAD method
- Changed GET method to use query parameters instead of data payloads
- Added curl_response_url to debug output
Release Version 1.2.2:
- Fixed bug in curl.py (curl spl command) that forced empty authentication parameters when authentication isnt required
- Thanks to @runner724 for reporting via answers - https://answers.splunk.com/answers/716585/webtools-app-how-to-make-get-without-basic-authent.html)
Release Version 1.2.0:
- Code readability improvements in curl.py
- Added 'timeout' option to curl command (as per request)
- Added exception handling to request functions in curl.py to support 'timeout' option
Release Version 1.1.0
- Made http method default to GET if not specified
- Added custom header capability to streaming curl command (by popular demand)
- Added curl_header to debug output of streaming curl command (by popular demand)
- Added curl_splunkauth to debug output of streaming & generating curl commands
- Added custom header capability to curl modular inputs (by popular demand)
Initial Release v1.0.0
- This was previously known as Splunk-TA_webtools, now it's been renamed to TA-webtools
- Now supports scripted inputs with the curl command
- Also added testport command for testing if TCP ports are open, and sending test UDP data for UDP tests
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.