Re: Create dashboards/graphs off extracted JSON/XM...

leesa · ‎06-20-2017

Hi folks,

I'm new to Splunk but am trying to extract data from Cisco's Prime Infrastructure REST API using Splunk's REST module.

So far I've set up the Splunk module to extract data from Prime's API, and that part is working fine, but I'm not sure how to work with the returned data in Splunk to achieve what I'm looking for.

The first Prime API that I'm using is to get a count of routers/switches that are currently offline. Prime's API will return data in either JSON or XML but seeing as Splunk talks JSON, I'll stick with that.

Prime's API doesn't just return a value representing how many devices are down, it returns a list of devices that are down and a @count attribute , which is the value that I need Splunk to know.

Here is an example of the JSON data returned from Prime's API. There were multiple entityId entries but I've just kept one for example's sake.
{
"queryResponse": {
"@last": "65",
"@first": "0",
"@count": "66",
"@type": "Devices",
"@responseType": "listEntityIds",
"@requestUrl": "https://sanitised/webacs/api/v1/data/Devices?reachability=UNREACHABLE&managementStatus=ne("...",
"@rootUrl": "https://sanitised/webacs/api/v1/data",
"entityId": [
{
"@type": "Devices",
"@url": "https://sanitised/webacs/api/v1/data/Devices/119273198",
"$": "119273198"
},
]
}
}

I have already set up an extracted field in the Splunk Search for the "@count" field and can use that data in a dataset, but it doesn't give me the result that I am looking for so I'm not sure if that's the right way to do it. It accrues the logs over time but in reality, the only data that I need is the data from the last poll.

The API is polled every 60 seconds and I'd like the returned @count field to be displayed somewhere, just as a number, not a graph/chart, for non-technical users to view. The historical data from previous polls is not important.

If anyone could steer me in the right direction I'd be very appreciative, thank you.

woodcock · ‎06-21-2017

Try this:

| makeresults 
| eval _raw="{
\"queryResponse\": {
\"@last\": \"65\",
\"@first\": \"0\",
\"@count\": \"66\",
\"@type\": \"Devices\",
\"@responseType\": \"listEntityIds\",
\"@requestUrl\": \"https://sanitised/webacs/api/v1/data/Devices?reachability=UNREACHABLE&managementStatus=ne(\"INSERVICE_MAINTENANCE\")\",
\"@rootUrl\": \"https://sanitised/webacs/api/v1/data\",
\"entityId\": [
{
\"@type\": \"Devices\",
\"@url\": \"https://sanitised/webacs/api/v1/data/Devices/119273198\",
\"$\": \"119273198\"
},
]
}"

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| spath
| rename queryResponse.@* AS *
| stats latest(count) AS numDevicesOffline

Or better yet, maybe

| head 1
| spath
| rename queryResponse.@* AS *
| stats latest(count) AS numDevicesOffline

leesa · ‎06-22-2017

Thanks folks. I'm away for a couple of weeks and will play with both solutions when I get back. Just wanted to pass on my thanks now so that you don't think I ignored you! Cheers.

somesoni2 · ‎06-21-2017

There could be many options

your base search | stats latest("@Count") as OfflineDevicesCount

your base search | head 1 | table "@Count" | rename "@Count" as OfflineDevicesCount

Create dashboards/graphs off extracted JSON/XML data?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation