All Apps and Add-ons
Highlighted

REST API Modular Input: How to add an arbitrary field to results to identify the source for that data input?

New Member

I am using the REST API Modular Input ( https://apps.splunk.com/apps/id/rest_ta ) to pull data from an API which outputs CSV data.

I need to do this for various different sources using the same REST API and I need to "tag" the data as which source it is coming from. Is there a way to add an arbitrary field to the results which identifies the source for that data input?

0 Karma
Highlighted

Re: REST API Modular Input: How to add an arbitrary field to results to identify the source for that data input?

Communicator

You can do something like this... I assume the REST TA provides some data back as to endpoint used.

| eval my_tag = case(<source_endpoint>,"api_1")

Actually, if that works you can likely just create a Splunk TAG for it. https://docs.splunk.com/Documentation/Splunk/7.0.0/Admin/Tagsconf

0 Karma
Highlighted

Re: REST API Modular Input: How to add an arbitrary field to results to identify the source for that data input?

Ultra Champion

You should use the sourcetype field for this when you set up your REST stanzas.

Trivial example , parent stanza with shared config fields with 2 child stanzas each with their own sourcetype.

[rest]
index=main

[rest://foo]
sourcetype=abc
...

[rest://goo]
sourcetype=def
...

Or if you can't do that then you should use a custom response handler in the REST TA. to dynamically determine what additional "tag" field to add to the event.

Loads of examples in rest_ta/bin/responsehandlers.py for this pre-processing approach using python code

Or , you could also add fields at index time. , but you'll be limited in what you can achieve to regex based logic.