I am using oauth2, as the authentication type. My data currently gets parsed as either, into 1 event alone
or the parser treats each line as a separate event.
The data from the curl output appears as
[
{
"count": 6495,
"kind": "Host",
"next": "https://mycompany.com/api/v1.0/data/search?results_id=<>=search+Host+show+name%2C+%23InferredElement%3AInference%3AAssociate%3ADiscoveryAccess.endpoint+as+%27Scanned+via%27%2C+os%2C+os_class+as+%27OS+Class%27%2C+os_type+as+%27OS+Type%27%2C+os_version+as+%27OS+Version%27%2C+model+as+%27Model%27%2C+vendor+as+%27Hardware+Vendor%27&offset=1000&limit=1000&format=object",
"next_offset": 1000,
"offset": 0,
"results": [
{
"Hardware Vendor": "VMware, Inc.",
"Model": "VMware Virtual Platform",
"OS Class": "Windows",
"OS Type": "Windows",
"OS Version": "Server 2012 R2",
"Scanned via": "10.000.000.111",
"name": "abc-atydv-002",
"os": "Microsoft Windows Server 2012 R2 Standard Version 6.3.9600 Build 9600"
},
{
"Hardware Vendor": "HP",
"Model": "ProLiant DL360p Gen8",
"OS Class": "Windows",
"OS Type": "Windows",
"OS Version": "Server 2012 R2",
"Scanned via": null,
"name": "abc-ENTDC-001",
"os": "Microsoft Windows Server 2012 R2 Standard Version 6.3.9600 Build 9600"
},
{
"Hardware Vendor": "HP",
"Model": "ProLiant DL360p Gen8",
"OS Class": "Windows",
"OS Type": "Windows",
"OS Version": "Server 2012 R2",
"Scanned via": null,
"name": "efg-ENTDC-002",
"os": "Microsoft Windows Server 2012 R2 Standard Version 6.3.9600 Build 9600"
}
],
"results_id": "abc="
}
Thanks,
Tejal
The quest answer is yes you can. This requires you to build your on response handler in Python. If you read the inputs.conf.spec you will see a settings called response_hander, Python classname of custom response handler. For more examples open responsehandlers.py which is located in the bin directory. You will see a number of custom handlers.
Basically you are going to have to write some python.
class MyCustomHandler:
def __init__(self,**args):
pass
def __call__(self, response_object,raw_response_output,response_type,req_args,endpoint):
if response_type == "json":
output = json.loads(raw_response_output)
for server in output["results"]:
print_xml_stream(json.dumps(server))
else:
print_xml_stream(raw_response_output)
It errors out as:
02-27-2017 16:21:08.563 -0800 ERROR ExecProcessor - message from "python /Applications/Splunk/etc/apps/rest_ta/bin/rest.py" for server in output["results"]:
02-27-2017 16:21:08.563 -0800 ERROR ExecProcessor - message from "python /Applications/Splunk/etc/apps/rest_ta/bin/rest.py" TypeError: list indices must be integers, not str
I only want to capture the data/events after "results"
Further update. I was able to resolve the issue.
@tnerker - Would you be able to provide the answer your issue so that others can know what you did and we can close out your question?