All Apps and Add-ons

REST API Modular Input issues after upgrading


This is affecting one of our HF that we use to do ingest external data via scripts, vendor provided apps and REST API polls.   For the REST API part we use the REST API Modular Input app (  The REST inputs works without any issues when we were at Splunk Enterprise 7.1.3.

After upgrade SE to 8.1.1 and the rest_ta app to 2.0.1 last weekend, none of the scheduled REST inputs worked.   Problem is, this only happens on this server.   The REST inputs still work on a separate, dev server that was also upgraded to SE 8.1.1 and rest_ta 2.0.1. 

I see the following set of error events in splunkd.log but they only show up when I make a change to any of the REST inputs, like changing the cron schedule to force it to run at the next minute.


 Exception in thread Thread-1:
 Traceback (most recent call last):
   File "/opt/splunk/lib/python3.7/", line 926, in _bootstrap_inner
   File "/opt/splunk/lib/python3.7/", line 870, in run
     self._target(*self._args, **self._kwargs)
   File "/opt/splunk/etc/apps/rest_ta/bin/", line 447, in do_run
     endpoint_list[i] = endpoint.replace(replace_key,c['clear_password'])
   File "/opt/splunk/lib/python3.7/site-packages/splunk/", line 574, in __getitem__
 KeyError: 'clear_password'


 I do not see any errors at the times when the cron schedules's supposed to execute the API calls.   So it feels like the rest_ta app itself just quit working.  Honestly, I'm a bit lost trying to interpret the errors.  Anyone have seen something similar, or have any tips on how to resolve this?

I tried removing the app completely, restart splunkd then reinstall and reconfigure rest_ta 2.0.1 from scratch.  Still none of the scheduled jobs run.  The same errors still only show up after I modified one of the REST inputs.  

Here's one of the several REST inputs configured.   They're all identical in that I'm only using the bundled "JSONArrayHandler" response_handler to process the returning JSON data from Infoblox.  It's not customized in any way.


 activation_key = --snip--
 auth_password = {encrypted:splunk_svc_user}
 auth_type = basic
 auth_user = splunk_svc_user
 delimiter = :
 endpoint = https://a.b.c.d/wapi/v2.6.1/network?_max_results=15000
 host = a.b.c.d
 http_method = GET
 index = infoblox
 index_error_response_codes = 1
 log_level = INFO
 polling_interval = 3 * * * *
 request_timeout = 60
 response_handler = JSONArrayHandler
 response_type = json
 sequential_mode = 0
 sourcetype = infoblox:api:network
 streaming_request = 0



Labels (1)
Tags (1)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...

.conf23 Registration is Now Open!

Time to toss the .conf-etti 🎉 —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...