All Apps and Add-ons

Trouble shoot - REST API modular input doesn't index json output

Contributor

I'm setting up REST API to index Json to splunk but for some reasons, it doesn't index anything to splunk at all. I have tried to set the response type to all of the formats in the list, also change the response handler class to JSONArrayHandler & default Handler and still couldn't get it to work. For the purpose of debuging it, I check the box to index error responses and still get nothing. I tried to use Postman to make an api call to it and receive a json file. What did I do wrong? Thank you!

0 Karma

Communicator

Hi tamduong16,

Refer this you will get some idea..

trylog.php :

<?php
    $data = '{"received":"2018-02-01 19:58:36","ipaddress":"127.0.01","response_text":"To know more about this rest api"}';

  $usr = "admin";
  $psw = "password";
  $username = '$_REQUEST[username]';
  $password = '$_REQUEST[password]';
  //$usr == $username && $psw == $password
  //print_r($_REQUEST); 
  session_start();
  if ($_SESSION['login']==true || ($_REQUEST['username']=="admin" && $_REQUEST['password']=="password")) {
    print $data;
    $_SESSION['login']=true;
    }else {
      echo "incorrect login";
    }
    ?>

Rest-api-modular-input configuration :

Endpoint URL * : http://localhost/trylog.php
URL Arguments : username=admin,password=password
Polling Interval : 10
0 Karma

Ultra Champion

Any error logs ?

Search index=_internal error rest.py

0 Karma

Contributor

HI Damien, Here is the error:

03-14-2018 23:44:33.428 -0500 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\rest_ta\bin\rest.py"" Exception performing request: HTTPSConnectionPool(host='reqres.in', port=443): Max retries exceeded with url: /api/users?page=2 (Caused by : [Errno 10060] A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond)

I used postman to make this request and it works fine. I don't know what I did wrong in splunk. Thanks for the help!

0 Karma

Ultra Champion

That would therefore imply that your REST configuration is possibly wrong.

Share your postman and splunk rest configs for comparison.

0 Karma

Contributor

Where can i find splunk rest configs?

0 Karma

Ultra Champion

it will get written to a [rest] stanza in an inputs.conf file somewhere , so just search for it.

0 Karma

Contributor

[rest://Vbrick api/v1/user/login]
auth_type = none
endpoint = https://xxxxxxx.rev.vbrick.com/api/v1/user/login?username=abc&password=def
http_method = POST
index = vbrickreport
index_error_response_codes = 1
response_type = text
sequential_mode = 0
sourcetype = _json
streaming_request = 1
url_args =
response_handler = JSONArrayHandler
disabled = 1

I tried the same with default response handler but still don't have data in

0 Karma

Contributor

I'm running python 3 on my computer. Could this be the reason to my problem?

0 Karma

Communicator

Can you share sample API output data and configuration details.

0 Karma

Contributor

Hi, here are the input and output data from the api call.
POST /api/v1/user/login

request parameters:
{
"username" : "john.smith",
"password": "Password123"
}

Request response:

{
"token": "T9-GJqSH7dQSBqcUUVP0la6IHEyc9cR00Mj2ysD_fPwdKv0JMOcsJ9Sf2jR8nSvwgRgaZasExlH1xd5-XeqmUg2",
"issuer": "VBrick",
"expiration": "2017-08-31T15:00:10.599Z",
"email": "john.smith@abc.com",
"id": "5b8f0285-7627-4ee7-b67b-e2e9e8944279",
"username": "john.smith",
"firstName": "John",
"lastName": "Smith",
"language": "English"
}

0 Karma