To make things easier, I'd like to include a REST JSON from an external tools of ours in one of our Splunk dashboards.
I looked a bit at the REST API Modular Input add-on, but the data I want to present might change over time.
Any other interesting ways to solve a thing like that?
This will depend on what tool you are using to import the JSON data. Probably one of the easiest ways is to create a new index for this JSON data to be imported into via HEC and then run that query into the dashboard. Set your external tool to run the collection automatically for whatever time you need it. If you need the data to override the previous data thats imported then you can set this via a outputlookup.
Let me know if this helps or if you want more of a structure around this?
Ok, I have added a new index and manually uploaded data extracted from two months. For the fun of it, I uploaded some random entries twice, to simulate the duplication.
Could it be as easy as I use dedup in the search query, and that's enough?
essentially you know have the data in a new index and should work like the others apart from the _time field as this will only show the time you uploaded the data so I presume you have a date field as part of this data set.
Are you going to be looking to have a recurring data upload to this index and overriding the data each time?
Yes, the data itself contains other date fields.
We're planning on importing this on a monthly basis. There might be a few cases where the same entry comes in different monthly reports with slightly different data, but those are most likely less than 1% of the entries.
It's always the latest entry that is the correct one.