All Apps and Add-ons
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- How to parse JSON from REST input?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mohankesireddy
Path Finder
06-12-2017
03:20 PM
hi, I am querying an REST API to ingest the large JSON output. But facing issues with parsing JSON output. I am not interested int the metadata of the response I am only looking to ingest the data
{
"key": "9988",
"doc_count": 14
},
as an event. If I use the native reponsehandler Splunk is ingesting the data as one large even and stops at max events.
I tried using custom handler, but Splunk does not index any data. I tried to handle the out with custom sourcetype with no luck
` class DataHandler:
def __init__(self,**args):
pass
def __call__(self, response_object,raw_response_output,response_type,req_args,endpoint):
if response_type == "json":
output = json.loads(raw_response_output)
for server in output["distinctValues"]["buckets"]:
print_xml_stream(json.dumps(server))
else:
print_xml_stream(raw_response_output)
`
JSON Response sample
{
"total": 15,
"querytime": 6,
"aggregations": {
"distinctValues": {
"doc_count": 0,
"sum_count": 0,
"buckets": [{
"key": "3412",
"doc_count": 15
}, {
"key": "5423",
"doc_count": 81
}, {
"key": "6543",
"doc_count": 16
}, {
"key": "6655",
"doc_count": 18
}, {
"key": "2344",
"doc_count": 10
}, {
"key": "1234",
"doc_count": 16
}, {
"key": "9898",
"doc_count": 10
}, {
"key": "4321",
"doc_count": 14
}, {
"key": "9988",
"doc_count": 14
}, {
"key": "3454",
"doc_count": 11
}, {
"key": "3242",
"doc_count": 14
}, {
"key": "9283",
"doc_count": 6
}, {
"key": "8472",
"doc_count": 1
}, {
"key": "9922",
"doc_count": 6
}, {
"key": "8293",
"doc_count": 5
}]
}
},
"results": []
}
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Damien_Dallimor
Ultra Champion
06-12-2017
06:30 PM
Looks like you missed aggregations.
for server in output["aggregations"]["distinctValues"]["buckets"]:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Damien_Dallimor
Ultra Champion
06-12-2017
06:30 PM
Looks like you missed aggregations.
for server in output["aggregations"]["distinctValues"]["buckets"]:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mohankesireddy
Path Finder
06-13-2017
11:32 AM
that did the trick thank Damien
Get Updates on the Splunk Community!
Celebrating the Winners of the ‘Splunk Build-a-thon’ Hackathon!
We are thrilled to announce the winners of the Splunk Build-a-thon, our first-ever hackathon dedicated to ...
Why You Should Register for Splunk University at .conf25
Level up before .conf25 even begins
Splunk University is back in Boston, September 6–8, and it’s your chance ...
Building Splunk proficiency is a marathon, not a sprint
Building Splunk skills is a lot like training for a marathon. It’s about consistent progress, celebrating ...
