All Apps and Add-ons

REST API Modular Input Add-on: Is it possible to parse data from ADDM reporting REST API?

tnerkar_splunk
Splunk Employee
Splunk Employee

I am using oauth2, as the authentication type. My data currently gets parsed as either, into 1 event alone
or the parser treats each line as a separate event.

The data from the curl output appears as

 [
    {
        "count": 6495, 
        "kind": "Host", 
        "next": "https://mycompany.com/api/v1.0/data/search?results_id=<>=search+Host+show+name%2C+%23InferredElement%3AInference%3AAssociate%3ADiscoveryAccess.endpoint+as+%27Scanned+via%27%2C+os%2C+os_class+as+%27OS+Class%27%2C+os_type+as+%27OS+Type%27%2C+os_version+as+%27OS+Version%27%2C+model+as+%27Model%27%2C+vendor+as+%27Hardware+Vendor%27&offset=1000&limit=1000&format=object", 
        "next_offset": 1000, 
        "offset": 0, 
        "results": [
            {
                "Hardware Vendor": "VMware, Inc.", 
                "Model": "VMware Virtual Platform", 
                "OS Class": "Windows", 
                "OS Type": "Windows", 
                "OS Version": "Server 2012 R2", 
                "Scanned via": "10.000.000.111", 
                "name": "abc-atydv-002", 
                "os": "Microsoft Windows Server 2012 R2 Standard Version 6.3.9600 Build 9600"
            }, 
            {
                "Hardware Vendor": "HP", 
                "Model": "ProLiant DL360p Gen8", 
                "OS Class": "Windows", 
                "OS Type": "Windows", 
                "OS Version": "Server 2012 R2", 
                "Scanned via": null, 
                "name": "abc-ENTDC-001", 
                "os": "Microsoft Windows Server 2012 R2 Standard Version 6.3.9600 Build 9600"
            }, 
            {
                "Hardware Vendor": "HP", 
                "Model": "ProLiant DL360p Gen8", 
                "OS Class": "Windows", 
                "OS Type": "Windows", 
                "OS Version": "Server 2012 R2", 
                "Scanned via": null, 
                "name": "efg-ENTDC-002", 
                "os": "Microsoft Windows Server 2012 R2 Standard Version 6.3.9600 Build 9600"
            }
],
"results_id": "abc="
    }

Thanks,
Tejal

0 Karma

bmacias84
Champion

The quest answer is yes you can. This requires you to build your on response handler in Python. If you read the inputs.conf.spec you will see a settings called response_hander, Python classname of custom response handler. For more examples open responsehandlers.py which is located in the bin directory. You will see a number of custom handlers.

Basically you are going to have to write some python.

0 Karma

tnerkar_splunk
Splunk Employee
Splunk Employee

Here is my CustomHandler, added in responsehandlers.py

class MyCustomHandler:

 def __init__(self,**args):
     pass

 def __call__(self, response_object,raw_response_output,response_type,req_args,endpoint):
     if response_type == "json":        
         output = json.loads(raw_response_output)

         for server in output["results"]:
             print_xml_stream(json.dumps(server))                      
     else:
         print_xml_stream(raw_response_output)

It errors out as:

02-27-2017 16:21:08.563 -0800 ERROR ExecProcessor - message from "python /Applications/Splunk/etc/apps/rest_ta/bin/rest.py" for server in output["results"]:
02-27-2017 16:21:08.563 -0800 ERROR ExecProcessor - message from "python /Applications/Splunk/etc/apps/rest_ta/bin/rest.py" TypeError: list indices must be integers, not str

I only want to capture the data/events after "results"

0 Karma

tnerkar_splunk
Splunk Employee
Splunk Employee

Further update. I was able to resolve the issue.

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@tnerker - Would you be able to provide the answer your issue so that others can know what you did and we can close out your question?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...