For the following response how do I check XML or JSON for a status & succeeded elements/props (also never used python so any example would help):
I presume you are referring to this app : https://splunkbase.splunk.com/app/1546/ ?
If so , there are a bunch of example response handlers here for processing JSON repsonses :
1) write your custom handler and add it to SPLUNK_HOME/rest_ta/bin/responsehandlers.py
class SomeCustomHandler: def __init__(self,**args): pass def __call__(self, response_object,raw_response_output,response_type,req_args,endpoint): if response_type == "json": output = json.loads(raw_response_output) #get the status and succeeded attributes from the json response status = output["status"] succeeded = output["succeeded"] #presumably then use them for some sort of boolean logic #output json event to Splunk print_xml_stream(json.dumps(output)) else: print_xml_stream(raw_response_output)
2) declare this custom handler in your stanza setup
Ok, it seems now the Splunk is not even logging the request/response for the JSON content.
I don't see any entries in my search results for the expected data point.
When the response is :
This is logged in search results
However, when the response is:
It's not being logged
I don't see any errors in Splunk System monitor associated with this either.
It seems to be very inconsistent, is there something it doesn't like about response from the REST service that may stop logging the result?
This is before I have even applied the Custom Handler.
I just gave you a generic example to point you in the right direction. I know nothing about your REST endpoint , JSON payload or the logic you are trying to apply to the JSON response.
So, the intent was to give you a example which you could then build something off.
Any errors will be searchable in Splunk with : index=_internal ExecProcessor error rest.py
I had a look and see nothing relevant, who can help me resolve this issue?
I'm evaluating this product so would need to understand why the response is not even being logged for this particular request.
OK , lets do troubleshooting 101....
1) can you see the request hitting your server (logs) ?
2) can you see the request on the wire (wireshark is useful) ?
3) what is your REST config on the Splunk side (look at inputs.conf with basic shell searching)
4) any firewalls ?
1& 2) Yes I can see both type of requests/responses using wireshark every 60 seconds as expected
3)Can you provide more detail? what kind of scripting? I don't see any inputs.conf file in the C:\Program Files\Splunk\etc\apps\rest_ta folder.
4)I don't think firewall should be an issue as I can see the responses coming back and also I can see the logging as mentioned for one response in Splunky (both HTTP endpoints are being served from the same Host domain)
1) Go to SPLUNK_HOME/etc/apps and do a filesystem search under this directory for the stanza you setup for your REST Input , it gets saved to a file names inputs.conf , and then post this stanza for me to look at ?
2) Have you written a custom response handler ? what does this code look like ? Maybe you have an error in your code ?
3) When you search for events in Splunk , how are you searching for them ? Search command , time range etc.. ?