All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk rest api returns multiple json records- Can we force it to send it as a list?

HemanthShekar
New Member
‎02-05-2023 09:00 AM

Hi, 

 

I am trying to use splunk rest api to call the logs to do some dashboarding in our external application. 

There will be a java middle ware that will call these api and response will be parsed by the UI. But when i call the splunk rest api it returns multiple json records but not as a list. Just seperate json records , It will be troublesome to parse it as its not  a list . How do we make sure the response from splunk rest api is just 1 valid json that can be parsed? 

 

The screen shows the query and response from postman. How do we get a single json response from Splunk that has these json results as a list that can be parsed  easily by a program

splunk-respose-rest-api.png

Labels (3)
Tags (1)
0 Karma
Reply

HemanthShekar
New Member
‎02-05-2023 06:01 PM

@2MuchC0ff33 

0 Karma
Reply

2MuchC0ff33
Explorer
‎02-05-2023 05:22 PM

To specify the response format, use the output mode parameter in your REST API call. When you set it to "JSON," the response is returned as a single JSON object that can be easily parsed. Here's an illustration:

https://<host>:<port>/services/search/jobs/export?output_mode=json&search=<search query>

Replace host> and port> with the values for your Splunk instance, and search query> with your desired search query.

0 Karma
Reply

HemanthShekar
New Member
‎02-05-2023 06:00 PM

It's already used as part of request parameters. 

We are getting output in Json format . Just that we are getting multiple records.  One record for each status-code and it's a separate document . Not part of a Json list

0 Karma
Reply

2MuchC0ff33
Explorer
‎02-06-2023 09:20 PM

In that case, @HemanthShekar, you must modify your Splunk search query to return the results as a single JSON object. Use the stats command to aggregate the results and return them as a single JSON object in your search query.

Here's an example:

GET /services/search/jobs/export?output_mode=json&search=search+index%3D*+earliest%3D-24h%40h+latest%3Dnow+|+stats+values(status_code)+by+status_code&count=1000

This will return the count of each status code value as a single JSON object, which your Java middleware can quickly parse. You can modify the search query to meet your specific needs.

0 Karma
Reply
Get Updates on the Splunk Community!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Announcing the General Availability of Splunk Enterprise Security 8.1!

We are pleased to announce the general availability of Splunk Enterprise Security 8.1. Splunk becomes the only ...

Developer Spotlight with William Searle

The Splunk Guy: A Developer’s Path from Web to Cloud William is a Splunk Professional Services Consultant with ...
Top