All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

REST API Modular Input Add-on: Is it possible to parse data from ADDM reporting REST API?

tnerkar_splunk
Splunk Employee
Splunk Employee
‎02-24-2017 01:36 PM

I am using oauth2, as the authentication type. My data currently gets parsed as either, into 1 event alone
or the parser treats each line as a separate event.

The data from the curl output appears as 

 [
    {
        "count": 6495, 
        "kind": "Host", 
        "next": "https://mycompany.com/api/v1.0/data/search?results_id=<>=search+Host+show+name%2C+%23InferredElement%3AInference%3AAssociate%3ADiscoveryAccess.endpoint+as+%27Scanned+via%27%2C+os%2C+os_class+as+%27OS+Class%27%2C+os_type+as+%27OS+Type%27%2C+os_version+as+%27OS+Version%27%2C+model+as+%27Model%27%2C+vendor+as+%27Hardware+Vendor%27&offset=1000&limit=1000&format=object", 
        "next_offset": 1000, 
        "offset": 0, 
        "results": [
            {
                "Hardware Vendor": "VMware, Inc.", 
                "Model": "VMware Virtual Platform", 
                "OS Class": "Windows", 
                "OS Type": "Windows", 
                "OS Version": "Server 2012 R2", 
                "Scanned via": "10.000.000.111", 
                "name": "abc-atydv-002", 
                "os": "Microsoft Windows Server 2012 R2 Standard Version 6.3.9600 Build 9600"
            }, 
            {
                "Hardware Vendor": "HP", 
                "Model": "ProLiant DL360p Gen8", 
                "OS Class": "Windows", 
                "OS Type": "Windows", 
                "OS Version": "Server 2012 R2", 
                "Scanned via": null, 
                "name": "abc-ENTDC-001", 
                "os": "Microsoft Windows Server 2012 R2 Standard Version 6.3.9600 Build 9600"
            }, 
            {
                "Hardware Vendor": "HP", 
                "Model": "ProLiant DL360p Gen8", 
                "OS Class": "Windows", 
                "OS Type": "Windows", 
                "OS Version": "Server 2012 R2", 
                "Scanned via": null, 
                "name": "efg-ENTDC-002", 
                "os": "Microsoft Windows Server 2012 R2 Standard Version 6.3.9600 Build 9600"
            }
],
"results_id": "abc="
    }

Thanks,
Tejal

0 Karma
Reply

bmacias84
Champion
‎02-24-2017 02:10 PM

The quest answer is yes you can. This requires you to build your on response handler in Python. If you read the inputs.conf.spec you will see a settings called response_hander, Python classname of custom response handler. For more examples open responsehandlers.py which is located in the bin directory. You will see a number of custom handlers.

Basically you are going to have to write some python.

0 Karma
Reply

tnerkar_splunk
Splunk Employee
Splunk Employee
‎02-27-2017 04:30 PM

Here is my CustomHandler, added in responsehandlers.py

class MyCustomHandler:

 def __init__(self,**args):
     pass

 def __call__(self, response_object,raw_response_output,response_type,req_args,endpoint):
     if response_type == "json":        
         output = json.loads(raw_response_output)

         for server in output["results"]:
             print_xml_stream(json.dumps(server))                      
     else:
         print_xml_stream(raw_response_output)

It errors out as:

02-27-2017 16:21:08.563 -0800 ERROR ExecProcessor - message from "python /Applications/Splunk/etc/apps/rest_ta/bin/rest.py" for server in output["results"]:
02-27-2017 16:21:08.563 -0800 ERROR ExecProcessor - message from "python /Applications/Splunk/etc/apps/rest_ta/bin/rest.py" TypeError: list indices must be integers, not str

I only want to capture the data/events after "results"

0 Karma
Reply

tnerkar_splunk
Splunk Employee
Splunk Employee
‎02-28-2017 10:20 PM

Further update. I was able to resolve the issue.

0 Karma
Reply

aaraneta_splunk
Splunk Employee
Splunk Employee
‎04-20-2017 08:57 PM

@tnerker - Would you be able to provide the answer your issue so that others can know what you did and we can close out your question?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...