REST API Modular Input: How to add an arbitrary fi...

cadapt · ‎12-06-2017

I am using the REST API Modular Input ( https://apps.splunk.com/apps/id/rest_ta ) to pull data from an API which outputs CSV data.

I need to do this for various different sources using the same REST API and I need to "tag" the data as which source it is coming from. Is there a way to add an arbitrary field to the results which identifies the source for that data input?

Damien_Dallimor · ‎12-06-2017

You should use the sourcetype field for this when you set up your REST stanzas.

Trivial example , parent stanza with shared config fields with 2 child stanzas each with their own sourcetype.

[rest]
index=main

[rest://foo]
sourcetype=abc
...

[rest://goo]
sourcetype=def
...

Or if you can't do that then you should use a custom response handler in the REST TA. to dynamically determine what additional "tag" field to add to the event.

Loads of examples in rest_ta/bin/responsehandlers.py for this pre-processing approach using python code

Or , you could also add fields at index time. , but you'll be limited in what you can achieve to regex based logic.

bsonposh · ‎12-06-2017

You can do something like this... I assume the REST TA provides some data back as to endpoint used.

| eval my_tag = case(<source_endpoint>,"api_1")

Actually, if that works you can likely just create a Splunk TAG for it. https://docs.splunk.com/Documentation/Splunk/7.0.0/Admin/Tagsconf

REST API Modular Input: How to add an arbitrary field to results to identify the source for that data input?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!