All Apps and Add-ons
Highlighted

REST API Modular Input Add-on: Is it possible to parse data from ADDM reporting REST API?

New Member

I am using oauth2, as the authentication type. My data currently gets parsed as either, into 1 event alone
or the parser treats each line as a separate event.

The data from the curl output appears as

 [
    {
        "count": 6495, 
        "kind": "Host", 
        "next": "https://mycompany.com/api/v1.0/data/search?results_id=<>=search+Host+show+name%2C+%23InferredElement%3AInference%3AAssociate%3ADiscoveryAccess.endpoint+as+%27Scanned+via%27%2C+os%2C+os_class+as+%27OS+Class%27%2C+os_type+as+%27OS+Type%27%2C+os_version+as+%27OS+Version%27%2C+model+as+%27Model%27%2C+vendor+as+%27Hardware+Vendor%27&offset=1000&limit=1000&format=object", 
        "next_offset": 1000, 
        "offset": 0, 
        "results": [
            {
                "Hardware Vendor": "VMware, Inc.", 
                "Model": "VMware Virtual Platform", 
                "OS Class": "Windows", 
                "OS Type": "Windows", 
                "OS Version": "Server 2012 R2", 
                "Scanned via": "10.000.000.111", 
                "name": "abc-atydv-002", 
                "os": "Microsoft Windows Server 2012 R2 Standard Version 6.3.9600 Build 9600"
            }, 
            {
                "Hardware Vendor": "HP", 
                "Model": "ProLiant DL360p Gen8", 
                "OS Class": "Windows", 
                "OS Type": "Windows", 
                "OS Version": "Server 2012 R2", 
                "Scanned via": null, 
                "name": "abc-ENTDC-001", 
                "os": "Microsoft Windows Server 2012 R2 Standard Version 6.3.9600 Build 9600"
            }, 
            {
                "Hardware Vendor": "HP", 
                "Model": "ProLiant DL360p Gen8", 
                "OS Class": "Windows", 
                "OS Type": "Windows", 
                "OS Version": "Server 2012 R2", 
                "Scanned via": null, 
                "name": "efg-ENTDC-002", 
                "os": "Microsoft Windows Server 2012 R2 Standard Version 6.3.9600 Build 9600"
            }
],
"results_id": "abc="
    }

Thanks,
Tejal

0 Karma
Highlighted

Re: REST API Modular Input Add-on: Is it possible to parse data from ADDM reporting REST API?

Champion

The quest answer is yes you can. This requires you to build your on response handler in Python. If you read the inputs.conf.spec you will see a settings called response_hander, Python classname of custom response handler. For more examples open responsehandlers.py which is located in the bin directory. You will see a number of custom handlers.

Basically you are going to have to write some python.

0 Karma
Highlighted

Re: REST API Modular Input Add-on: Is it possible to parse data from ADDM reporting REST API?

New Member

Here is my CustomHandler, added in responsehandlers.py

class MyCustomHandler:

 def __init__(self,**args):
     pass

 def __call__(self, response_object,raw_response_output,response_type,req_args,endpoint):
     if response_type == "json":        
         output = json.loads(raw_response_output)

         for server in output["results"]:
             print_xml_stream(json.dumps(server))                      
     else:
         print_xml_stream(raw_response_output)

It errors out as:

02-27-2017 16:21:08.563 -0800 ERROR ExecProcessor - message from "python /Applications/Splunk/etc/apps/restta/bin/rest.py" for server in output["results"]:
02-27-2017 16:21:08.563 -0800 ERROR ExecProcessor - message from "python /Applications/Splunk/etc/apps/rest
ta/bin/rest.py" TypeError: list indices must be integers, not str

I only want to capture the data/events after "results"

0 Karma
Highlighted

Re: REST API Modular Input Add-on: Is it possible to parse data from ADDM reporting REST API?

New Member

Further update. I was able to resolve the issue.

0 Karma
Highlighted

Re: REST API Modular Input Add-on: Is it possible to parse data from ADDM reporting REST API?

Influencer

@tnerker - Would you be able to provide the answer your issue so that others can know what you did and we can close out your question?

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.