Solved: Re: REST API Modular Input: How to break a single ...

macadminrohit · ‎12-09-2016

Hi,

We are using REST API Modular Input to query the data for some open source monitoring tool. The output contains data for a group of servers visible in the output. We want to break this JSON output into multiple events per each server so that we can create dashboards easily.

{ [-] 
    id: 1  
    jsonrpc: 2.0  
    result: [ [-] 
      { [-] 
        hostid: 12110  
        hosts: [ [-] 
          { [-] 
            host: VDCQAPERFLOS01  
            hostid: 12110  
            name: VDCQAPERFLOS01   
          }  
        ]  
        itemid: 214397  
        key_: perf_counter[\Processor(_Total)\% Processor Time]  
        lastvalue: 2.8321  
        name: CPU Capacity - Processor Time   
      } 
      { [+] 
      } 
      { [+] 
      } 
      { [+] 
      } 
      { [+] 
      } 
      { [+] 
      } 
      { [+] 
      } 
      { [+] 
      } 
      { [+] 
      } 
      { [+]

In the above output, I expanded the result for one of the servers. So, for each server, I need a different event. Any help is highly appreciated.

Damien_Dallimor · ‎12-10-2016

Create a custom response handler by adding it to rest_ta/bin/responsehandlers.py and declare it to be applied in your stanza setup.

There are many examples here for you to follow ie: https://github.com/damiendallimore/SplunkModularInputsPythonFramework/blob/master/implementations/re...

Rough example :

class YourCustomHandler:

    def __init__(self,**args):
        pass

    def __call__(self, response_object,raw_response_output,response_type,req_args,endpoint):
        if response_type == "json":        
            output = json.loads(raw_response_output)
            for server in output["result"]:
                print_xml_stream(json.dumps(server))                      
        else:
            print_xml_stream(raw_response_output)

View solution in original post

Damien_Dallimor · ‎12-10-2016

Create a custom response handler by adding it to rest_ta/bin/responsehandlers.py and declare it to be applied in your stanza setup.

There are many examples here for you to follow ie: https://github.com/damiendallimore/SplunkModularInputsPythonFramework/blob/master/implementations/re...

Rough example :

class YourCustomHandler:

    def __init__(self,**args):
        pass

    def __call__(self, response_object,raw_response_output,response_type,req_args,endpoint):
        if response_type == "json":        
            output = json.loads(raw_response_output)
            for server in output["result"]:
                print_xml_stream(json.dumps(server))                      
        else:
            print_xml_stream(raw_response_output)

macadminrohit · ‎12-12-2016

Thanks Damien, this is exactly what I am looking for. It worked perfectly fine.

REST API Modular Input: How to break a single JSON output into multiple events?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation