Solved: REST API Modular Input

preben12 · ‎11-14-2013

I calling a remote http endpoint that returns xml in the form of

<AdaptersStatus xmlns="http://xx.xx/xxxx/services/monitoring">
   <Status>ERROR</Status>
   <Timestamp>2013-11-14T13:33:48</Timestamp>
   <MonitoredAdapterStatus>
      <Status>
         <Timestamp>2013-11-14T13:33:47</Timestamp>
         <ApplicationStatus>OK</ApplicationStatus>
         <ApplicationVersion>1.0.19</ApplicationVersion>
         <MonitoredRessources>
            <DisplayName>Route monitor :: audit-trail-Route</DisplayName>
            <Status>OK</Status>
         </MonitoredRessources>
         <MonitoredRessources>
             <DisplayName>Route monitor :: bam-route</DisplayName>
             <Status>OK</Status>
         </MonitoredRessources>
     </Status>
     <Configuration>
        <URL>http://xxxxxx:7003/audit-trail/status</URL>
        <AdapterName>audit-trail</AdapterName>
     </Configuration>
  </MonitoredAdapterStatus> 
</AdaptersStatus>

I'm actually only interested in indexing the first field and the field, in this case ERROR, 2013-11-14Tx, and a sourcetype that indicates what rest service has been called.

I figured out that if I do = | rex "(?i)<.*?>(?P\w+)(?=<)" I will get a Key value of the Status field, but how can i make rest_ta index that, and discard the rest of the xml response ?

Damien_Dallimor · ‎11-14-2013

The REST API Modular Input is generic ie: it can be used against any HTTP REST endpoint. So it has the ability to plugin custom response handlers for any custom pre-processing or formatting of your response data.

To do this you add a custom response handler class to etc/apps/rest_ta/bin/responsehandlers.py and in the stanza setup declare that this handler should be applied.

So you could write a handler to just strip out and index the elements you are interested in.

Very quick rough code :

class MyCustomResponseHandler:

    def __init__(self,**args):
        pass

    def __call__(self, response_object,raw_response_output,response_type,req_args,endpoint):

        from xml.dom import minidom
        dom = minidom.parseString(raw_response_output)
        status = dom.getElementsByTagName('Status')
        timestamp = dom.getElementsByTagName('Timestamp')
        status[0].firstChild.nodeValue
        timestamp[0].firstChild.nodeValue

        processed_response_output = 'status='+status[0].firstChild.nodeValue+' timestamp='+timestamp[0].firstChild.nodeValue

        print_xml_stream(processed_response_output)

View solution in original post

Damien_Dallimor · ‎11-14-2013

The REST API Modular Input is generic ie: it can be used against any HTTP REST endpoint. So it has the ability to plugin custom response handlers for any custom pre-processing or formatting of your response data.

To do this you add a custom response handler class to etc/apps/rest_ta/bin/responsehandlers.py and in the stanza setup declare that this handler should be applied.

So you could write a handler to just strip out and index the elements you are interested in.

Very quick rough code :

class MyCustomResponseHandler:

    def __init__(self,**args):
        pass

    def __call__(self, response_object,raw_response_output,response_type,req_args,endpoint):

        from xml.dom import minidom
        dom = minidom.parseString(raw_response_output)
        status = dom.getElementsByTagName('Status')
        timestamp = dom.getElementsByTagName('Timestamp')
        status[0].firstChild.nodeValue
        timestamp[0].firstChild.nodeValue

        processed_response_output = 'status='+status[0].firstChild.nodeValue+' timestamp='+timestamp[0].firstChild.nodeValue

        print_xml_stream(processed_response_output)

Damien_Dallimor · ‎11-15-2013

Cool, not bad for untested code 🙂

preben12 · ‎11-15-2013

whoa - works like a charm 🙂

preben12 · ‎11-15-2013

Thanks Damien
I'll give your suggestions a try.

REST API Modular Input

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor