- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Fetch external JSON for dashboard
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fetch external JSON for dashboard
To make things easier, I'd like to include a REST JSON from an external tools of ours in one of our Splunk dashboards.
I looked a bit at the REST API Modular Input add-on, but the data I want to present might change over time.
Any other interesting ways to solve a thing like that?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This will depend on what tool you are using to import the JSON data. Probably one of the easiest ways is to create a new index for this JSON data to be imported into via HEC and then run that query into the dashboard. Set your external tool to run the collection automatically for whatever time you need it. If you need the data to override the previous data thats imported then you can set this via a outputlookup.
Let me know if this helps or if you want more of a structure around this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, let me see if I can get the data imported to start with. But if I understand you correct, I can import the same data on several times, and then sort this when I query for the data?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
exactly. What external tool are you using?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, I have added a new index and manually uploaded data extracted from two months. For the fun of it, I uploaded some random entries twice, to simulate the duplication.
Could it be as easy as I use dedup in the search query, and that's enough?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
essentially you know have the data in a new index and should work like the others apart from the _time field as this will only show the time you uploaded the data so I presume you have a date field as part of this data set.
Are you going to be looking to have a recurring data upload to this index and overriding the data each time?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, the data itself contains other date fields.
We're planning on importing this on a monthly basis. There might be a few cases where the same entry comes in different monthly reports with slightly different data, but those are most likely less than 1% of the entries.
It's always the latest entry that is the correct one.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
