All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is the REST API not breaking XML into multiple events or extracting fields?

bwindham
Path Finder
‎07-18-2018 11:07 PM

I know this topic has been addressed many times on here but I cannot get my xml events to break properly. I am retrieving Cisco Prime devices via REST API xml call. Designating the TA_cisco_ios addon as the App in REST, I just cannot get it broken into individual events. Splunk just shows 1 event as seen attached xml-file. 

My props.conf under TA_cisco_ios looks like:
[cisco:ios]
 BREAK_ONLY_BEFORE=
 TRUNCATE=500000

My REST setup looks like this:

REST API Input: Cisco Prime Device Status   
Endpoint URL:  https://172.x.x.85/webacs/api/v3/data/Devices.xml?.full=true 
Authentication Type: basic  
Sourcetype:  cisco:ios
App:  TA-cisco_ios
Status:  Enabled

Thanks in advance! This is driving me crazy!

Preview file
3 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Damien_Dallimor
Ultra Champion
‎07-19-2018 02:10 AM

I use custom response handlers in the REST setup for pre processing , and in this case , event splitting.

Add something like this to rest_ta/bin/responsehandlers.py (example only , tweak as need be) :

class XMLResponseHandler:

    def __init__(self,**args):
        pass

    def __call__(self, response_object,raw_response_output,response_type,req_args,endpoint):

        from xml.etree import ElementTree
        e = ElementTree.fromstring(raw_response_output)
        for entity in e.findall('entity'):
            print_xml_stream(ElementTree.tostring(entity).decode())

And then declare it to be applied to your input :

alt text

View solution in original post

Preview file
42 KB
0 Karma
Reply
Solved! Jump to solution
Solution

Damien_Dallimor
Ultra Champion
‎07-19-2018 02:10 AM

I use custom response handlers in the REST setup for pre processing , and in this case , event splitting.

Add something like this to rest_ta/bin/responsehandlers.py (example only , tweak as need be) :

class XMLResponseHandler:

    def __init__(self,**args):
        pass

    def __call__(self, response_object,raw_response_output,response_type,req_args,endpoint):

        from xml.etree import ElementTree
        e = ElementTree.fromstring(raw_response_output)
        for entity in e.findall('entity'):
            print_xml_stream(ElementTree.tostring(entity).decode())

And then declare it to be applied to your input :

alt text

Preview file
42 KB
0 Karma
Reply
Solved! Jump to solution

bwindham
Path Finder
‎07-19-2018 09:50 AM

Thanks Damien....using your sample and some luck, I created a PrimeHandler and at least have broken out the individual events now but the fields were not being extracted. I put "KV_MODE = xml" in the sourcetype on the SH and at least I see the long field names now. May have to look at field extractions for that. Thanks for the help!

0 Karma
Reply
Solved! Jump to solution

bwindham
Path Finder
‎07-18-2018 11:19 PM

the props.conf is not posting properly but below attributes are using entity as break
BREAK_ONLY_BEFORE
MUST_BREAK_AFTER

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...