All Apps and Add-ons

Why is the REST API not breaking XML into multiple events or extracting fields?

bwindham
Path Finder

I know this topic has been addressed many times on here but I cannot get my xml events to break properly. I am retrieving Cisco Prime devices via REST API xml call. Designating the TA_cisco_ios addon as the App in REST, I just cannot get it broken into individual events. Splunk just shows 1 event as seen attached xml-file.

My props.conf under TA_cisco_ios looks like:
[cisco:ios]
 BREAK_ONLY_BEFORE=
 TRUNCATE=500000

My REST setup looks like this:

REST API Input: Cisco Prime Device Status   
Endpoint URL:  https://172.x.x.85/webacs/api/v3/data/Devices.xml?.full=true 
Authentication Type: basic  
Sourcetype:  cisco:ios
App:  TA-cisco_ios
Status:  Enabled

Thanks in advance! This is driving me crazy!

0 Karma
1 Solution

Damien_Dallimor
Ultra Champion

I use custom response handlers in the REST setup for pre processing , and in this case , event splitting.

Add something like this to rest_ta/bin/responsehandlers.py (example only , tweak as need be) :

class XMLResponseHandler:

    def __init__(self,**args):
        pass

    def __call__(self, response_object,raw_response_output,response_type,req_args,endpoint):

        from xml.etree import ElementTree
        e = ElementTree.fromstring(raw_response_output)
        for entity in e.findall('entity'):
            print_xml_stream(ElementTree.tostring(entity).decode())   

And then declare it to be applied to your input :

alt text

View solution in original post

0 Karma

Damien_Dallimor
Ultra Champion

I use custom response handlers in the REST setup for pre processing , and in this case , event splitting.

Add something like this to rest_ta/bin/responsehandlers.py (example only , tweak as need be) :

class XMLResponseHandler:

    def __init__(self,**args):
        pass

    def __call__(self, response_object,raw_response_output,response_type,req_args,endpoint):

        from xml.etree import ElementTree
        e = ElementTree.fromstring(raw_response_output)
        for entity in e.findall('entity'):
            print_xml_stream(ElementTree.tostring(entity).decode())   

And then declare it to be applied to your input :

alt text

0 Karma

bwindham
Path Finder

Thanks Damien....using your sample and some luck, I created a PrimeHandler and at least have broken out the individual events now but the fields were not being extracted. I put "KV_MODE = xml" in the sourcetype on the SH and at least I see the long field names now. May have to look at field extractions for that. Thanks for the help!

0 Karma

bwindham
Path Finder

the props.conf is not posting properly but below attributes are using entity as break
BREAK_ONLY_BEFORE
MUST_BREAK_AFTER

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...