All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Why does configuring a Response Handler in the REST API Modular Input break polling?

mlcooper7
New Member
‎12-10-2016 10:23 AM

I am trying to ingest some JSON from a REST endpoint that is an array in the form:
alt text

My goal is to make each element in the array a separate event in Splunk.

When I configure the REST API Modular Input endpoint with JSONArrayHandler for the Response Handler, it seems that polling breaks. I tail -f /opt/splunk/var/log/splunk/splunkd.log but it does not seem to ever poll. If I remove JSONArrayHandler from the Response Handler configuration, it does poll.

Config:
alt text

I am using https://splunkbase.splunk.com/app/1546/ version 1.4 and splunk enterprise 6.5.1.

Why does polling stop if I configure JSONArrayHandler for the Response Handler?

Preview file
18 KB
Preview file
5 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Damien_Dallimor
Ultra Champion
‎12-10-2016 06:37 PM

Have you tried creating your own custom handler that is actually specific to your JSON format ?

View solution in original post

Reply
Solved! Jump to solution
Solution

Damien_Dallimor
Ultra Champion
‎12-10-2016 06:37 PM

Have you tried creating your own custom handler that is actually specific to your JSON format ?

Reply
Solved! Jump to solution

mlcooper7
New Member
‎12-10-2016 06:51 PM

I have not, no. I was under the impression that JSONArrayHandler would perhaps automatically make each item in the array a separate event in splunk. I read through the code for it, but unfortunately I can only read so much python. I could perhaps devise one if I saw an example of some JSON with its custom handler. I could probably manipulate it to fit the format of the JSON I'm working with.

0 Karma
Reply
Solved! Jump to solution

mlcooper7
New Member
‎12-10-2016 06:56 PM

I'm not able to share my JSON due to its somewhat sensitive nature, however the FlightInfo example looks like it might sort of translate to the format of my JSON.

https://answers.splunk.com/answers/240659/how-to-troubleshoot-why-rest-api-modular-input-sto.html

0 Karma
Reply
Solved! Jump to solution

mlcooper7
New Member
‎12-10-2016 07:11 PM

That worked! Each of the elements in my JSON is now a separate event in splunk. Thanks!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

[REGISTER HERE] This thread is for the Community Office Hours session on Detection Engineering Office Hours: ...

Developer Spotlight with Mika Borner

From Hackathon Winner to Enterprise Leader    Mika Borner, CEO and Founder of Datapunctum AG, has been ...

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

To help practitioners build a stronger foundation, we launched the Data Management & Federation ...