All Apps and Add-ons

Splunk rest api returns multiple json records- Can we force it to send it as a list?

HemanthShekar
New Member

Hi, 

 

I am trying to use splunk rest api to call the logs to do some dashboarding in our external application. 

There will be a java middle ware that will call these api and response will be parsed by the UI. But when i call the splunk rest api it returns multiple json records but not as a list. Just seperate json records , It will be troublesome to parse it as its not  a list . How do we make sure the response from splunk rest api is just 1 valid json that can be parsed? 

 

The screen shows the query and response from postman. How do we get a single json response from Splunk that has these json results as a list that can be parsed  easily by a program

splunk-respose-rest-api.png

Labels (3)
Tags (1)
0 Karma

HemanthShekar
New Member
0 Karma

2MuchC0ff33
Explorer

To specify the response format, use the output mode parameter in your REST API call. When you set it to "JSON," the response is returned as a single JSON object that can be easily parsed. Here's an illustration:

https://<host>:<port>/services/search/jobs/export?output_mode=json&search=<search query>

Replace host> and port> with the values for your Splunk instance, and search query> with your desired search query.

0 Karma

HemanthShekar
New Member

It's already used as part of request parameters. 

We are getting output in Json format . Just that we are getting multiple records.  One record for each status-code and it's a separate document . Not part of a Json list

0 Karma

2MuchC0ff33
Explorer

In that case, @HemanthShekar, you must modify your Splunk search query to return the results as a single JSON object. Use the stats command to aggregate the results and return them as a single JSON object in your search query.

Here's an example:

GET /services/search/jobs/export?output_mode=json&search=search+index%3D*+earliest%3D-24h%40h+latest%3Dnow+|+stats+values(status_code)+by+status_code&count=1000

This will return the count of each status code value as a single JSON object, which your Java middleware can quickly parse. You can modify the search query to meet your specific needs.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...