Re: Splunk Add-on Builder Checkpoint issues

guarisma · ‎07-17-2019

Hello,

I'm creating a REST input for my Add-on, the REST call goes like this

https://api.domain.com/get/me/logs?oldest=<date+time in epoch (secs)>

My Events look something like this:

  {"events": [  { "date": 1561939200, "id": "1234-6678-09982", "data": "Someone did something to this setting"},  { "date": 1561939100, "id": "1234-6678-09982", "data": "Someone else did something to this other setting"}, {...}]}

So my checkpoint path is events[0].date since the first event in the array is the latest one.

I set the interval for 300 sec (5 min)

But when ever the Script runs again, it repeats the last event and grab the new ones after, in that example I would find { "date": 1561939200, "id": "1234-6678-09982", "data": "Someone did something to this setting"} twice in Splunk.

How can I make it increment so it won't index the last event again?

ArtiParty · ‎01-25-2025

I'm having the same issues, any resolution?

marnall · ‎01-25-2025

Can you increment the checkpoint number by one before saving it using the helper functions in the add-on builder? This should prevent it from getting the last event multiple times when there are no new events after the last checkpoint.

Splunk Add-on Builder Checkpoint issues

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Are you a member of the Splunk Community?

Splunk Add-on Builder Checkpoint issues

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside