All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

REST API Modular Input: Is there a way to have a REST API call retrieve only new events, not all data?

theouhuios
Motivator
‎11-25-2014 08:18 AM

Hello

I am new to writing Rest APi calls so please pardon my ignorance if its really simple. I wrote a rest api call which talks to cloudera and gets the events. This part works fine. The issue is it polls every 60sec( default) as I am using the Rest API Modular Input and it pulls all data instead of getting just the new events which happened.

Is there a way to tell a REST api call to get only new events? I know that I can have the time in the URL argument which will then keep data limited to only that time, but how to I dynamically change that date time value so that it automatically pulls newer data?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-25-2014 10:12 AM

If you're on version 1.3.5 then the date token used in the URL should update itself for every call. If you need more tokens you can add them yourself.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-25-2014 10:12 AM

If you're on version 1.3.5 then the date token used in the URL should update itself for every call. If you need more tokens you can add them yourself.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎12-04-2014 10:01 AM

Does that answer your original question?

0 Karma
Reply
Solved! Jump to solution

theouhuios
Motivator
‎12-04-2014 12:07 PM

Yup. Thanks Martin

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎12-03-2014 11:29 AM

You could set up a transforms.conf rule that routes empty events to the nullQueue.

Reply
Solved! Jump to solution

theouhuios
Motivator
‎12-04-2014 05:02 AM

Yeah, did the same. I was thinking if I could do it in the input itself, but since that didn't work used the transforms

0 Karma
Reply
Solved! Jump to solution

theouhuios
Motivator
‎12-03-2014 08:27 AM

When I place a datetime as a token it gets empty events which is actually right. But is it possible to not index the json data if there is no value in the items ?

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-25-2014 12:13 PM

The example token only gives you the date, but you can add any tokens to the app you need.

0 Karma
Reply
Solved! Jump to solution

theouhuios
Motivator
‎11-25-2014 12:06 PM

But it only gets the date but not the time right? Each time it runs its getting everything for today instead of getting only the changes which happened.

0 Karma
Reply
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...