Hi folks,

I'm new to Splunk but am trying to extract data from Cisco's Prime Infrastructure REST API using Splunk's REST module.

So far I've set up the Splunk module to extract data from Prime's API, and that part is working fine, but I'm not sure how to work with the returned data in Splunk to achieve what I'm looking for.

The first Prime API that I'm using is to get a count of routers/switches that are currently offline. Prime's API will return data in either JSON or XML but seeing as Splunk talks JSON, I'll stick with that.

Prime's API doesn't just return a value representing how many devices are down, it returns a list of devices that are down and a @count attribute , which is the value that I need Splunk to know.

Here is an example of the JSON data returned from Prime's API. There were multiple entityId entries but I've just kept one for example's sake.
{
"queryResponse": {
"@last": "65",
"@first": "0",
"@count": "66",
"@type": "Devices",
"@responseType": "listEntityIds",
"@requestUrl": "https://sanitised/webacs/api/v1/data/Devices?reachability=UNREACHABLE&managementStatus=ne("...",
"@rootUrl": "https://sanitised/webacs/api/v1/data",
"entityId": [
{
"@type": "Devices",
"@url": "https://sanitised/webacs/api/v1/data/Devices/119273198",
"$": "119273198"
},
]
}
}

I have already set up an extracted field in the Splunk Search for the "@count" field and can use that data in a dataset, but it doesn't give me the result that I am looking for so I'm not sure if that's the right way to do it. It accrues the logs over time but in reality, the only data that I need is the data from the last poll.

The API is polled every 60 seconds and I'd like the returned @count field to be displayed somewhere, just as a number, not a graph/chart, for non-technical users to view. The historical data from previous polls is not important.

If anyone could steer me in the right direction I'd be very appreciative, thank you.