Re: Trouble shoot - REST API modular input doesn't...

tamduong16 · ‎03-13-2018

I'm setting up REST API to index Json to splunk but for some reasons, it doesn't index anything to splunk at all. I have tried to set the response type to all of the formats in the list, also change the response handler class to JSONArrayHandler & default Handler and still couldn't get it to work. For the purpose of debuging it, I check the box to index error responses and still get nothing. I tried to use Postman to make an api call to it and receive a json file. What did I do wrong? Thank you!

anjambha · ‎03-15-2018

Hi tamduong16,

Refer this you will get some idea..

trylog.php :

<?php
    $data = '{"received":"2018-02-01 19:58:36","ipaddress":"127.0.01","response_text":"To know more about this rest api"}';

  $usr = "admin";
  $psw = "password";
  $username = '$_REQUEST[username]';
  $password = '$_REQUEST[password]';
  //$usr == $username && $psw == $password
  //print_r($_REQUEST); 
  session_start();
  if ($_SESSION['login']==true || ($_REQUEST['username']=="admin" && $_REQUEST['password']=="password")) {
    print $data;
    $_SESSION['login']=true;
    }else {
      echo "incorrect login";
    }
    ?>

Rest-api-modular-input configuration :

Endpoint URL * : http://localhost/trylog.php
URL Arguments : username=admin,password=password
Polling Interval : 10

Damien_Dallimor · ‎03-14-2018

Any error logs ?

Search index=_internal error rest.py

tamduong16 · ‎03-15-2018

HI Damien, Here is the error:

03-14-2018 23:44:33.428 -0500 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\rest_ta\bin\rest.py"" Exception performing request: HTTPSConnectionPool(host='reqres.in', port=443): Max retries exceeded with url: /api/users?page=2 (Caused by : [Errno 10060] A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond)

I used postman to make this request and it works fine. I don't know what I did wrong in splunk. Thanks for the help!

Damien_Dallimor · ‎03-15-2018

That would therefore imply that your REST configuration is possibly wrong.

Share your postman and splunk rest configs for comparison.

tamduong16 · ‎03-16-2018

Where can i find splunk rest configs?

Damien_Dallimor · ‎03-17-2018

it will get written to a [rest] stanza in an inputs.conf file somewhere , so just search for it.

tamduong16 · ‎03-19-2018

[rest://Vbrick api/v1/user/login]
auth_type = none
endpoint = https://xxxxxxx.rev.vbrick.com/api/v1/user/login?username=abc&password=def
http_method = POST
index = vbrickreport
index_error_response_codes = 1
response_type = text
sequential_mode = 0
sourcetype = _json
streaming_request = 1
url_args =
response_handler = JSONArrayHandler
disabled = 1

I tried the same with default response handler but still don't have data in

tamduong16 · ‎03-13-2018

I'm running python 3 on my computer. Could this be the reason to my problem?

anjambha · ‎03-14-2018

Can you share sample API output data and configuration details.

tamduong16 · ‎03-14-2018

Hi, here are the input and output data from the api call.
POST /api/v1/user/login

request parameters:
{
"username" : "john.smith",
"password": "Password123"
}

Request response:

{
"token": "T9-GJqSH7dQSBqcUUVP0la6IHEyc9cR00Mj2ysD_fPwdKv0JMOcsJ9Sf2jR8nSvwgRgaZasExlH1xd5-XeqmUg2",
"issuer": "VBrick",
"expiration": "2017-08-31T15:00:10.599Z",
"email": "john.smith@abc.com",
"id": "5b8f0285-7627-4ee7-b67b-e2e9e8944279",
"username": "john.smith",
"firstName": "John",
"lastName": "Smith",
"language": "English"
}

Trouble shoot - REST API modular input doesn't index json output

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk