Splunk Custom Endpoints Part 3: POSTing the Data
In Parts 1 and 2 we covered setting up our Python file to handle a POST request with hard-coded data. We also covered setting up our restmap.conf and web.conf files. We then set up our dashboard with a form that will POST to our custom endpoint. Finally, we added some JavaScript to handle the POSTing to our custom endpoint.
As our custom_endpoint.py stands right now it is simply using the hardcoded data in the file and using that to POST to our custom endpoint. Now we want to modify our custom_endpoint.py file to take the data we POST to it and return it so we can see the format the data is sent to our custom endpoint.
Feel free to follow along with the blog post and/or the screencast links that are included below and throughout the post.
- Video 7: Cleaning Our POST Data
- Video 8: Handling POST Data In Python
Cleaning Our POST Data
You can view the related screencast here.
Part of the request that comes into Splunk when POSTing data to it is the payload. This is the data that we will be sending from our form. We can access this through our handle_POST method’s request like so:
Go ahead and open up the custom_endpoint.py script inside of your app’s bin folder. Modify your handle_POST method so it looks like this:
Here is what we are doing:
- Right now all we are interested in seeing that the script can handle the request and then provide a response by simply returning the data we send it.
- First define the payload.
- Then, write out the payload in a string format back to the browser. We will wait for this response on our dashboard.
- Once you make the changes save the file.
Test POSTing
Go back to the dashboard, fill out the form and then click the Submit button. I entered ‘batman’ for my user and ‘admin’ for my role. In the console the response should look something like this:

What are we looking at?
The data is the payload that we are writing out in our Python script. Currently the format is:
I would rather it be in the format of:
We can do this with a little massaging of our data in our Javascript file.
Modifying the payload data format
In custom_endpoint.js we will add the following inside of our on-click event:
Here is what we are doing:
- Above we are pulling out the name of the form field field[‘name’] and the value of the form field field[‘value’].
- We then check to see which field we are pulling the data from: Roles or Username
- If Roles, we need to split the value apart if multiple roles have been provided e.g. user,admin
- If it’s not Roles, then it can only be the Username field and we simply assign the Username key to the value.
Next, instead of passing data into our service request, we will pass data_obj:
Now if you try and submit the form you should get back something like:

Handling POST Data In Python
The next thing we want to do is loop through the payload data, pull out what we need, and pass it to the pre-existing endpoint of /services/admin/users/<user>. Here’s the Handling POST Data In Python screencast for you as well. Inside of the custom_endpoint.py file make the following modifications inside the handle_POST method:
Here is what we are doing:
- Above we’ve added a variable for a username and roles.
- Then inside of the try statement we define our payload, which is passed form on our CRUD dashboard.
- We then loop through the payload data first splitting on & and then = characters to pull our our data and assign both the username and roles values.
- We also check to see if the username is blank and if it is we throw back a 400 error saying that a username must be provided.
- If everything is good, we post to the /services/admin/users/<user> endpoint and pass it our data using the simpleRequest method.
- Finally, if an error occurs an exception will be thrown and returned back to us.
At this point if you go back to your dashboard and try to POST, you should receive back User roles updated successfully! If you remember, that “Success!” message comes from our JavaScript file. You can confirm it worked by going to: https://<hostname>:<splunkd_port>/services/admin/users/<user_name>
Now that we have POSTing working, we can move on to going through setting up our GET request. We will do that in the final part of this series.
About Hurricane Labs
Hurricane Labs is a dynamic Managed Services Provider that unlocks the potential of Splunk and security for diverse enterprises across the United States. With a dedicated, Splunk-focused team and an emphasis on humanity and collaboration, we provide the skills, resources, and results to help make our customers’ lives easier.
For more information, visit www.hurricanelabs.com and follow us on Twitter @hurricanelabs.
