All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk rest api returns multiple json records- Can we force it to send it as a list?

HemanthShekar
New Member
‎02-05-2023 09:00 AM

Hi, 

 

I am trying to use splunk rest api to call the logs to do some dashboarding in our external application. 

There will be a java middle ware that will call these api and response will be parsed by the UI. But when i call the splunk rest api it returns multiple json records but not as a list. Just seperate json records , It will be troublesome to parse it as its not  a list . How do we make sure the response from splunk rest api is just 1 valid json that can be parsed? 

 

The screen shows the query and response from postman. How do we get a single json response from Splunk that has these json results as a list that can be parsed  easily by a program

splunk-respose-rest-api.png

Labels (3)
Tags (1)
0 Karma
Reply

HemanthShekar
New Member
‎02-05-2023 06:01 PM

@2MuchC0ff33 

0 Karma
Reply

2MuchC0ff33
Explorer
‎02-05-2023 05:22 PM

To specify the response format, use the output mode parameter in your REST API call. When you set it to "JSON," the response is returned as a single JSON object that can be easily parsed. Here's an illustration:

https://<host>:<port>/services/search/jobs/export?output_mode=json&search=<search query>

Replace host> and port> with the values for your Splunk instance, and search query> with your desired search query.

0 Karma
Reply

HemanthShekar
New Member
‎02-05-2023 06:00 PM

It's already used as part of request parameters. 

We are getting output in Json format . Just that we are getting multiple records.  One record for each status-code and it's a separate document . Not part of a Json list

0 Karma
Reply

2MuchC0ff33
Explorer
‎02-06-2023 09:20 PM

In that case, @HemanthShekar, you must modify your Splunk search query to return the results as a single JSON object. Use the stats command to aggregate the results and return them as a single JSON object in your search query.

Here's an example:

GET /services/search/jobs/export?output_mode=json&search=search+index%3D*+earliest%3D-24h%40h+latest%3Dnow+|+stats+values(status_code)+by+status_code&count=1000

This will return the count of each status code value as a single JSON object, which your Java middleware can quickly parse. You can modify the search query to meet your specific needs.

0 Karma
Reply
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Top