All Apps and Add-ons

Why does configuring a Response Handler in the REST API Modular Input break polling?

mlcooper7
New Member

I am trying to ingest some JSON from a REST endpoint that is an array in the form:
alt text

My goal is to make each element in the array a separate event in Splunk.

When I configure the REST API Modular Input endpoint with JSONArrayHandler for the Response Handler, it seems that polling breaks. I tail -f /opt/splunk/var/log/splunk/splunkd.log but it does not seem to ever poll. If I remove JSONArrayHandler from the Response Handler configuration, it does poll.

Config:
alt text

I am using https://splunkbase.splunk.com/app/1546/ version 1.4 and splunk enterprise 6.5.1.

Why does polling stop if I configure JSONArrayHandler for the Response Handler?

0 Karma
1 Solution

Damien_Dallimor
Ultra Champion

Have you tried creating your own custom handler that is actually specific to your JSON format ?

View solution in original post

Damien_Dallimor
Ultra Champion

Have you tried creating your own custom handler that is actually specific to your JSON format ?

mlcooper7
New Member

I have not, no. I was under the impression that JSONArrayHandler would perhaps automatically make each item in the array a separate event in splunk. I read through the code for it, but unfortunately I can only read so much python. I could perhaps devise one if I saw an example of some JSON with its custom handler. I could probably manipulate it to fit the format of the JSON I'm working with.

0 Karma

mlcooper7
New Member

I'm not able to share my JSON due to its somewhat sensitive nature, however the FlightInfo example looks like it might sort of translate to the format of my JSON.

https://answers.splunk.com/answers/240659/how-to-troubleshoot-why-rest-api-modular-input-sto.html

0 Karma

mlcooper7
New Member

That worked! Each of the elements in my JSON is now a separate event in splunk. Thanks!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...