All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk REST API JSON Parsing

thufirtan
Engager
‎08-26-2013 08:05 PM

Hi, I am querying a REST API which returns JSON data. The JSON contains multiple results which I would like to break up into events. The metadata provides general information about the API call. Please advise on how I can do this? I am not interested in the metadata information but just want the results broken down as events to index. Thanks!

{"_metadata":[{"totalCount":9940102,"count":5,"limit":5,"offset":0,"status":"ok"}],"results":[{ "_id" : "1", "type":"apple"}, {"_id" : "2", "type":"banana"}, "_id":"3", "type":"apple"}]}

0 Karma
Reply

rturk
Builder
‎08-26-2013 08:29 PM

Hi Thufirtan,

Splunk recognises JSON natively. Taking your sample event (and putting an opening brace '{' before the last result declaration) I am able to search and report on the events:

Sample event:

{"_metadata":[{"totalCount":9940102,"count":5,"limit":5,"offset":0,"status":"ok"}],"results":[{ "_id" : "1", "type":"apple"}, {"_id" : "2", "type":"banana"}, {"_id":"3", "type":"apple"}]}

Search:

source="json_sample.txt" | rename results{}._id AS id, results{}.type AS type | stats count by type

Results:

alt text

Now let's say you have multiple events, and a timestamp in the returned response.

Sample Events:

{"_metadata":[{"timestamp":1377581422,"totalCount":9940102,"count":5,"limit":5,"offset":0,"status":"ok"],"results":[{"_id" : "1", "type":"apple"},{ "_id" : "2", "type":"banana"},{ "_id":"3","type":"apple"}]}

{"_metadata":[{"timestamp":1377581622,"totalCount":9566547,"count":6,"limit":6,"offset":0,"status":"ok"],"results":[{"_id" : "4", "type":"apple"},{ "_id" : "5", "type":"banana"},{ "_id":"6","type":"apple"}]}

By setting up your props.conf, you should be able to parse this automatically:

props.conf

[fruity_json]
BREAK_ONLY_BEFORE=^{
SHOULD_LINEMERGE=true
TIME_FORMAT=$s
TIME_PREFIX="timestamp":

This will give you two distinct events and reliably extract the timestamp 🙂 I believe this would be considered best practice for defining events in Splunk.

References:
Index Multiline Events, spath (JSON field extraction). props.conf

This probably won't address all of your follow up questions, but has hopefully put you on the right track 🙂

Reply

rturk
Builder
‎08-28-2013 07:17 AM

If this has answered your question, please be sure to mark it as answered so people with similar issues can find the solution as well 🙂

0 Karma
Reply

rturk
Builder
‎08-27-2013 05:27 AM

Hi thufirtan - I've edited the answer to address this question for you.

0 Karma
Reply

thufirtan
Engager
‎08-26-2013 10:28 PM

hi, that sort of works. how about if one of the fields is a timestamp as well? is there a way to split up the records before indexing or is this the best method? thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study: How LSU’s Student-Powered SOCs and Splunk Are Shaping the Future of ...

Louisiana State University (LSU) is shaping the next generation of cybersecurity professionals through its ...

Splunk and Fraud

Join us on November 13 at 11 am PT / 2 pm ET!Join us for an insightful webinar where we delve into the ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...