I am using the REST API Modular Input ( https://apps.splunk.com/apps/id/rest_ta ) to pull data from an API which outputs CSV data.
I need to do this for various different sources using the same REST API and I need to "tag" the data as which source it is coming from. Is there a way to add an arbitrary field to the results which identifies the source for that data input?
You can do something like this... I assume the REST TA provides some data back as to endpoint used.
| eval my_tag = case(<source_endpoint>,"api_1")
Actually, if that works you can likely just create a Splunk TAG for it. https://docs.splunk.com/Documentation/Splunk/7.0.0/Admin/Tagsconf
You should use the
sourcetype field for this when you set up your REST stanzas.
Trivial example , parent stanza with shared config fields with 2 child stanzas each with their own sourcetype.
[rest] index=main [rest://foo] sourcetype=abc ... [rest://goo] sourcetype=def ...
Or if you can't do that then you should use a custom response handler in the REST TA. to dynamically determine what additional "tag" field to add to the event.
Loads of examples in
rest_ta/bin/responsehandlers.py for this pre-processing approach using python code
Or , you could also add fields at index time. , but you'll be limited in what you can achieve to regex based logic.