Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Dashboards & Visualizations
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Unable to break JSON events from a REST Modula...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unable to break JSON events from a REST Modular input (SPLUNK CLOUD) AGAIN
ALXWBR
Path Finder
05-07-2021
01:48 AM
We are pulling some data from REST using REST API Modular Input (splunkbase.splunk.com/app/1546/), Response type json, and receiving the below response
{
currentServerTime: 2021-05-07T07:01:35.652+0000
measurements: [
{
count: 0
open: true
resultId: CSA_S_FT_L_ANY
time: 00:00:00
timeInSeconds: 0
updated: 2021-05-07T07:01:00.000+0000
}
{
count: 0
open: true
resultId: CSA_N_REG_L_ANY
time: 00:00:00
timeInSeconds: 0
updated: 2021-05-07T07:01:00.000+0000
}
{
count: 0
open: true
resultId: CSA_S_REG_L_7
time: 00:00:00
timeInSeconds: 0
updated: 2021-05-07T07:01:00.000+0000
}
{
count: 0
open: true
resultId: CSA_S_REG_L_6
time: 00:00:00
timeInSeconds: 0
updated: 2021-05-07T07:01:00.000+0000
}
{
count: 0
open: true
resultId: CSA_S_REG_L_5
time: 00:00:00
timeInSeconds: 0
updated: 2021-05-07T07:01:00.000+0000
}
{
count: 0
open: true
resultId: CSA_S_REG_L_4
time: 00:00:00
timeInSeconds: 0
updated: 2021-05-07T07:01:00.000+0000
}
{
count: 0
open: true
resultId: CSA_S_REG_L_3
time: 00:00:00
timeInSeconds: 0
updated: 2021-05-07T07:01:00.000+0000
}
{
count: 0
open: true
resultId: CSA_S_REG_L_10
time: 00:00:00
timeInSeconds: 0
updated: 2021-05-07T07:01:00.000+0000
}
{
count: 0
open: true
resultId: CSA_S_REG_L_2
time: 00:00:00
timeInSeconds: 0
updated: 2021-05-07T07:01:00.000+0000
}
{
count: 0
open: true
resultId: CSA_S_REG_L_1
time: 00:00:00
timeInSeconds: 0
updated: 2021-05-07T07:01:00.000+0000
}
{
calculatedTimeInSeconds: 0
count: 0
open: true
resultId: CSA_N_REG_L_2
time: 00:10:00
timeInSeconds: 600
updated: 2021-05-07T07:01:00.000+0000
}
{
count: 0
open: true
resultId: CSA_N_REG_L_1
time: 00:00:00
timeInSeconds: 0
updated: 2021-05-07T07:01:00.000+0000
}
{
count: 0
open: true
resultId: CSA_N_REG_L_10
time: 00:00:00
timeInSeconds: 0
updated: 2021-05-07T07:01:00.000+0000
}
{
count: 0
open: true
resultId: CSA_N_REG_L_4
time: 00:00:00
timeInSeconds: 0
updated: 2021-05-07T07:01:00.000+0000
}
{
count: 0
open: true
resultId: CSA_S_REG_L_9
time: 00:00:00
timeInSeconds: 0
updated: 2021-05-07T07:01:00.000+0000
}
{
count: 0
open: true
resultId: CSA_N_REG_L_3
time: 00:00:00
timeInSeconds: 0
updated: 2021-05-07T07:01:00.000+0000
}
{
count: 0
open: true
resultId: CSA_S_REG_L_8
time: 00:00:00
timeInSeconds: 0
updated: 2021-05-07T07:01:00.000+0000
}
{
count: 0
open: true
resultId: CSA_N_REG_L_6
time: 00:00:00
timeInSeconds: 0
updated: 2021-05-07T07:01:00.000+0000
}
{
calculatedTimeInSeconds: 0
count: 0
open: true
resultId: CSA_N_FT_L_8
time: 00:05:00
timeInSeconds: 300
updated: 2021-05-07T07:01:00.000+0000
}
{
count: 0
open: true
resultId: CSA_N_REG_L_5
time: 00:00:00
timeInSeconds: 0
updated: 2021-05-07T07:01:00.000+0000
}
{
count: 0
open: true
resultId: CSA_N_REG_L_8
time: 00:00:00
timeInSeconds: 0
updated: 2021-05-07T07:01:00.000+0000
}
{
count: 0
open: true
resultId: CSA_N_REG_L_7
time: 00:00:00
timeInSeconds: 0
updated: 2021-05-07T07:01:00.000+0000
}
{
count: 0
open: true
resultId: CSA_N_FT_L_10
time: 00:00:00
timeInSeconds: 0
updated: 2021-05-07T07:01:00.000+0000
}
{
count: 0
open: true
resultId: CSA_N_REG_L_9
time: 00:00:00
timeInSeconds: 0
updated: 2021-05-07T07:01:00.000+0000
}
{
count: 0
open: true
resultId: CSA_N_FT_L_9
time: 00:00:00
timeInSeconds: 0
updated: 2021-05-07T07:01:00.000+0000
}
{
count: 0
open: true
resultId: CSA_S_REG_L_ANY
time: 00:00:00
timeInSeconds: 0
updated: 2021-05-07T07:01:00.000+0000
}
{
count: 0
open: true
resultId: CSA_S_FT_L_3
time: 00:00:00
timeInSeconds: 0
updated: 2021-05-07T07:01:00.000+0000
}
{
count: 0
open: true
resultId: CSA_S_FT_L_2
time: 00:00:00
timeInSeconds: 0
updated: 2021-05-07T07:01:00.000+0000
}
{
count: 0
open: true
resultId: CSA_S_FT_L_1
time: 00:00:00
timeInSeconds: 0
updated: 2021-05-07T07:01:00.000+0000
}
{
count: 0
open: true
resultId: CSA_N_FT_L_ANY
time: 00:00:00
timeInSeconds: 0
updated: 2021-05-07T07:01:00.000+0000
}
]
}
We would like to split each individual result into individual events using "updated" as the timestamp, however, no matter what I have tried, I can't get Splunk to break the events.
I've tried writing a custom response handler, but it's not working, this isn't my area of expertise so i'm really struggling! This is what I have written.
class BlipTrackHandler:
def __init__(self,**args):
pass
def __call__(self, response_object,raw_response_output,response_type,req_args,endpoint):
if response_type == "json":
output = json.loads(raw_response_output)
for measurement in output["measurements"]:
measurement["timestamp"] = output["measurements"]["updated"]
print_xml_stream(json.dumps(measurement))
else:
print_xml_stream(raw_response_output)
Is anyone able to help?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ALXWBR
Path Finder
05-07-2021
02:31 AM
Solved it myself
class BlipTrackHandler:
def __init__(self,**args):
pass
def __call__(self, response_object,raw_response_output,response_type,req_args,endpoint):
if response_type == "json":
output = json.loads(raw_response_output)
for measurement in output["measurements"]:
measurement["currentServerTime"] = output["currentServerTime"]
print_xml_stream(json.dumps(measurement))
else:
print_xml_stream(raw_response_output)And changed the sourcetype to json_no_timestamp
Got questions? Get answers!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Meet up IRL or virtually!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Get Updates on the Splunk Community!
Announcing Modern Navigation: A New Era of Splunk User Experience
We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...
