REST API Modular Input: How to add an arbitrary fi...

cadapt · ‎12-06-2017

I am using the REST API Modular Input ( https://apps.splunk.com/apps/id/rest_ta ) to pull data from an API which outputs CSV data.

I need to do this for various different sources using the same REST API and I need to "tag" the data as which source it is coming from. Is there a way to add an arbitrary field to the results which identifies the source for that data input?

Damien_Dallimor · ‎12-06-2017

You should use the sourcetype field for this when you set up your REST stanzas.

Trivial example , parent stanza with shared config fields with 2 child stanzas each with their own sourcetype.

[rest]
index=main

[rest://foo]
sourcetype=abc
...

[rest://goo]
sourcetype=def
...

Or if you can't do that then you should use a custom response handler in the REST TA. to dynamically determine what additional "tag" field to add to the event.

Loads of examples in rest_ta/bin/responsehandlers.py for this pre-processing approach using python code

Or , you could also add fields at index time. , but you'll be limited in what you can achieve to regex based logic.

bsonposh · ‎12-06-2017

You can do something like this... I assume the REST TA provides some data back as to endpoint used.

| eval my_tag = case(<source_endpoint>,"api_1")

Actually, if that works you can likely just create a Splunk TAG for it. https://docs.splunk.com/Documentation/Splunk/7.0.0/Admin/Tagsconf

REST API Modular Input: How to add an arbitrary field to results to identify the source for that data input?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation