All Apps and Add-ons
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- How to parse JSON from REST input?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mohankesireddy
Path Finder
06-12-2017
03:20 PM
hi, I am querying an REST API to ingest the large JSON output. But facing issues with parsing JSON output. I am not interested int the metadata of the response I am only looking to ingest the data
{
"key": "9988",
"doc_count": 14
},
as an event. If I use the native reponsehandler Splunk is ingesting the data as one large even and stops at max events.
I tried using custom handler, but Splunk does not index any data. I tried to handle the out with custom sourcetype with no luck
` class DataHandler:
def __init__(self,**args):
pass
def __call__(self, response_object,raw_response_output,response_type,req_args,endpoint):
if response_type == "json":
output = json.loads(raw_response_output)
for server in output["distinctValues"]["buckets"]:
print_xml_stream(json.dumps(server))
else:
print_xml_stream(raw_response_output)
`
JSON Response sample
{
"total": 15,
"querytime": 6,
"aggregations": {
"distinctValues": {
"doc_count": 0,
"sum_count": 0,
"buckets": [{
"key": "3412",
"doc_count": 15
}, {
"key": "5423",
"doc_count": 81
}, {
"key": "6543",
"doc_count": 16
}, {
"key": "6655",
"doc_count": 18
}, {
"key": "2344",
"doc_count": 10
}, {
"key": "1234",
"doc_count": 16
}, {
"key": "9898",
"doc_count": 10
}, {
"key": "4321",
"doc_count": 14
}, {
"key": "9988",
"doc_count": 14
}, {
"key": "3454",
"doc_count": 11
}, {
"key": "3242",
"doc_count": 14
}, {
"key": "9283",
"doc_count": 6
}, {
"key": "8472",
"doc_count": 1
}, {
"key": "9922",
"doc_count": 6
}, {
"key": "8293",
"doc_count": 5
}]
}
},
"results": []
}
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Damien_Dallimor
Ultra Champion
06-12-2017
06:30 PM
Looks like you missed aggregations.
for server in output["aggregations"]["distinctValues"]["buckets"]:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Damien_Dallimor
Ultra Champion
06-12-2017
06:30 PM
Looks like you missed aggregations.
for server in output["aggregations"]["distinctValues"]["buckets"]:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mohankesireddy
Path Finder
06-13-2017
11:32 AM
that did the trick thank Damien
Get Updates on the Splunk Community!
Good Sourcetype Naming
When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Splunk App for Anomaly Detection End of Life Announcement
Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...
