All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

REST API Modular Input: Is there a way to have a REST API call retrieve only new events, not all data?

theouhuios
Motivator
‎11-25-2014 08:18 AM

Hello

I am new to writing Rest APi calls so please pardon my ignorance if its really simple. I wrote a rest api call which talks to cloudera and gets the events. This part works fine. The issue is it polls every 60sec( default) as I am using the Rest API Modular Input and it pulls all data instead of getting just the new events which happened.

Is there a way to tell a REST api call to get only new events? I know that I can have the time in the URL argument which will then keep data limited to only that time, but how to I dynamically change that date time value so that it automatically pulls newer data?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-25-2014 10:12 AM

If you're on version 1.3.5 then the date token used in the URL should update itself for every call. If you need more tokens you can add them yourself.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-25-2014 10:12 AM

If you're on version 1.3.5 then the date token used in the URL should update itself for every call. If you need more tokens you can add them yourself.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎12-04-2014 10:01 AM

Does that answer your original question?

0 Karma
Reply
Solved! Jump to solution

theouhuios
Motivator
‎12-04-2014 12:07 PM

Yup. Thanks Martin

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎12-03-2014 11:29 AM

You could set up a transforms.conf rule that routes empty events to the nullQueue.

Reply
Solved! Jump to solution

theouhuios
Motivator
‎12-04-2014 05:02 AM

Yeah, did the same. I was thinking if I could do it in the input itself, but since that didn't work used the transforms

0 Karma
Reply
Solved! Jump to solution

theouhuios
Motivator
‎12-03-2014 08:27 AM

When I place a datetime as a token it gets empty events which is actually right. But is it possible to not index the json data if there is no value in the items ?

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-25-2014 12:13 PM

The example token only gives you the date, but you can add any tokens to the app you need.

0 Karma
Reply
Solved! Jump to solution

theouhuios
Motivator
‎11-25-2014 12:06 PM

But it only gets the date but not the time right? Each time it runs its getting everything for today instead of getting only the changes which happened.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...
Top