All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

REST API Modular Input: How to add an arbitrary field to results to identify the source for that data input?

cadapt
New Member
‎12-06-2017 11:07 AM

I am using the REST API Modular Input ( https://apps.splunk.com/apps/id/rest_ta ) to pull data from an API which outputs CSV data.

I need to do this for various different sources using the same REST API and I need to "tag" the data as which source it is coming from. Is there a way to add an arbitrary field to the results which identifies the source for that data input?

0 Karma
Reply

Damien_Dallimor
Ultra Champion
‎12-06-2017 11:33 AM

You should use the sourcetype field for this when you set up your REST stanzas.

Trivial example , parent stanza with shared config fields with 2 child stanzas each with their own sourcetype.

[rest]
index=main

[rest://foo]
sourcetype=abc
...

[rest://goo]
sourcetype=def
...

Or if you can't do that then you should use a custom response handler in the REST TA. to dynamically determine what additional "tag" field to add to the event.

Loads of examples in rest_ta/bin/responsehandlers.py for this pre-processing approach using python code

Or , you could also add fields at index time. , but you'll be limited in what you can achieve to regex based logic.

Reply

bsonposh
Communicator
‎12-06-2017 11:30 AM

You can do something like this... I assume the REST TA provides some data back as to endpoint used.

| eval my_tag = case(<source_endpoint>,"api_1")

Actually, if that works you can likely just create a Splunk TAG for it. https://docs.splunk.com/Documentation/Splunk/7.0.0/Admin/Tagsconf

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...