All Apps and Add-ons

Why is the REST API not breaking XML into multiple events or extracting fields?

bwindham
Path Finder

I know this topic has been addressed many times on here but I cannot get my xml events to break properly. I am retrieving Cisco Prime devices via REST API xml call. Designating the TA_cisco_ios addon as the App in REST, I just cannot get it broken into individual events. Splunk just shows 1 event as seen attached xml-file.

My props.conf under TA_cisco_ios looks like:
[cisco:ios]
 BREAK_ONLY_BEFORE=
 TRUNCATE=500000

My REST setup looks like this:

REST API Input: Cisco Prime Device Status   
Endpoint URL:  https://172.x.x.85/webacs/api/v3/data/Devices.xml?.full=true 
Authentication Type: basic  
Sourcetype:  cisco:ios
App:  TA-cisco_ios
Status:  Enabled

Thanks in advance! This is driving me crazy!

0 Karma
1 Solution

Damien_Dallimor
Ultra Champion

I use custom response handlers in the REST setup for pre processing , and in this case , event splitting.

Add something like this to rest_ta/bin/responsehandlers.py (example only , tweak as need be) :

class XMLResponseHandler:

    def __init__(self,**args):
        pass

    def __call__(self, response_object,raw_response_output,response_type,req_args,endpoint):

        from xml.etree import ElementTree
        e = ElementTree.fromstring(raw_response_output)
        for entity in e.findall('entity'):
            print_xml_stream(ElementTree.tostring(entity).decode())   

And then declare it to be applied to your input :

alt text

View solution in original post

0 Karma

Damien_Dallimor
Ultra Champion

I use custom response handlers in the REST setup for pre processing , and in this case , event splitting.

Add something like this to rest_ta/bin/responsehandlers.py (example only , tweak as need be) :

class XMLResponseHandler:

    def __init__(self,**args):
        pass

    def __call__(self, response_object,raw_response_output,response_type,req_args,endpoint):

        from xml.etree import ElementTree
        e = ElementTree.fromstring(raw_response_output)
        for entity in e.findall('entity'):
            print_xml_stream(ElementTree.tostring(entity).decode())   

And then declare it to be applied to your input :

alt text

0 Karma

bwindham
Path Finder

Thanks Damien....using your sample and some luck, I created a PrimeHandler and at least have broken out the individual events now but the fields were not being extracted. I put "KV_MODE = xml" in the sourcetype on the SH and at least I see the long field names now. May have to look at field extractions for that. Thanks for the help!

0 Karma

bwindham
Path Finder

the props.conf is not posting properly but below attributes are using entity as break
BREAK_ONLY_BEFORE
MUST_BREAK_AFTER

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...