All Apps and Add-ons

Splunk stream forwarder : client side configuration to intercept loaded jsons ?

New Member

Hello fellow splunkers !

Problem : using an internal wbesite of the company I'm working for, I have to check several values in a webpage to take a decision. All of them are loaded trough json, while I'm browsing. Manual check is quite long, and i'm trying to automate it.

Solution I came up with :

I'm trying to use splunk, with the app splunk stream installed to catch json answers from the website, using a forwarder installed on the client side (windows, navigating with firefox). The aim is to catch json answers loaded by the client while the user (Me) is browsing on a specific website. jsons are loaded depending on user actions on the website (probably loaded by a java or flash app). I can see them loaded in the firefox Network console (Json answers, XHR)

I don't want to change the way jsons are loaded. I'm not trying to change them on-the-fly. I just want to be able to index them, to read them, and use them in a real time dashboard, in a "complex spl dashboard".

Troubles :

I have installed the splunk stream app, and enabled the http collector. I can see data indexed, based on websites browsed, using this request :

index=* source=stream:* _raw=*target_website* source="stream:http"

But in all lines, I can't find a sign of the jsons I'm looking for. I'm a sysadmin, I'm not a http client/server specialist. I Think I'm missing something here.

I have all rights on the client side computer, but I can't touch anything on the webserver, neither in the webapp ...
I'm thinking the setup a local proxy, and index the "proxied" jsons ...
Any solution will do. Performance is not the aim. Any help would be greatly appreciated.

Thank you for reading.

0 Karma