All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

REST API Modular Input: How to break a single JSON output into multiple events?

macadminrohit
Contributor
‎12-09-2016 01:30 PM

Hi,

We are using REST API Modular Input to query the data for some open source monitoring tool. The output contains data for a group of servers visible in the output. We want to break this JSON output into multiple events per each server so that we can create dashboards easily. 

{ [-] 
    id: 1  
    jsonrpc: 2.0  
    result: [ [-] 
      { [-] 
        hostid: 12110  
        hosts: [ [-] 
          { [-] 
            host: VDCQAPERFLOS01  
            hostid: 12110  
            name: VDCQAPERFLOS01   
          }  
        ]  
        itemid: 214397  
        key_: perf_counter[\Processor(_Total)\% Processor Time]  
        lastvalue: 2.8321  
        name: CPU Capacity - Processor Time   
      } 
      { [+] 
      } 
      { [+] 
      } 
      { [+] 
      } 
      { [+] 
      } 
      { [+] 
      } 
      { [+] 
      } 
      { [+] 
      } 
      { [+] 
      } 
      { [+]

In the above output, I expanded the result for one of the servers. So, for each server, I need a different event. Any help is highly appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Damien_Dallimor
Ultra Champion
‎12-10-2016 12:50 AM

Create a custom response handler by adding it to rest_ta/bin/responsehandlers.py and declare it to be applied in your stanza setup.

There are many examples here for you to follow ie: https://github.com/damiendallimore/SplunkModularInputsPythonFramework/blob/master/implementations/re...

Rough example :

class YourCustomHandler:

    def __init__(self,**args):
        pass

    def __call__(self, response_object,raw_response_output,response_type,req_args,endpoint):
        if response_type == "json":        
            output = json.loads(raw_response_output)
            for server in output["result"]:
                print_xml_stream(json.dumps(server))                      
        else:
            print_xml_stream(raw_response_output)

alt text

View solution in original post

Preview file
51 KB
Reply
Solved! Jump to solution
Solution

Damien_Dallimor
Ultra Champion
‎12-10-2016 12:50 AM

Create a custom response handler by adding it to rest_ta/bin/responsehandlers.py and declare it to be applied in your stanza setup.

There are many examples here for you to follow ie: https://github.com/damiendallimore/SplunkModularInputsPythonFramework/blob/master/implementations/re...

Rough example :

class YourCustomHandler:

    def __init__(self,**args):
        pass

    def __call__(self, response_object,raw_response_output,response_type,req_args,endpoint):
        if response_type == "json":        
            output = json.loads(raw_response_output)
            for server in output["result"]:
                print_xml_stream(json.dumps(server))                      
        else:
            print_xml_stream(raw_response_output)

alt text

Preview file
51 KB
Reply
Solved! Jump to solution

macadminrohit
Contributor
‎12-12-2016 12:12 PM

Thanks Damien, this is exactly what I am looking for. It worked perfectly fine.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...