- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello follow Splunkers!
We want to ingest Oracle Fusion Application (SaaS) audit logs into Splunk on-prem, and the only way to do this is through the REST API GET method. So, now that I cannot find a REST input option in Splunk or any free add-on from Splunk for this task, all I have read over the internet is to develop a script. I need your support to share a sample Python script that should not only pull the logs but also avoid duplicate logs with every pull.
Thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
You have three options here.
1. Create a completely external script that will pull data from your REST endpoint and write it to a file for ingestion by file monitor input or send it to a HEC input. That's probably the easiest (in the quick and dirty sense) but least maintainable one.
2. Create a modular input manually - https://dev.splunk.com/enterprise/docs/devtools/python/sdk-python/howtousesplunkpython/howtocreatemo...
3. Use add-on builder to create modular input - https://docs.splunk.com/Documentation/AddonBuilder/4.2.0/UserGuide/ConfigureDataCollection
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@PickleRick I appreciate your reply. The add-on builder option is what I'll go with. But will the add-on option work with XML data, given the data type is XML and the Splunk documentation only discusses JSON format? If so, do I need to apply the same "JSON path formats"? If not, can you kindly provide the formats or a reference guide?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
Build the data collection for your add-on to gather data from a REST API. A REST data input uses JSON as a data type and supports basic authentication and API-based authentication. For advanced data collection, create a modular input by writing your own Python code.
So if your source returns XML.. well, you're on your own here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Made some changes at source, now we are getting the logs in JSON format and Add-on builder option worked fine.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
You have three options here.
1. Create a completely external script that will pull data from your REST endpoint and write it to a file for ingestion by file monitor input or send it to a HEC input. That's probably the easiest (in the quick and dirty sense) but least maintainable one.
2. Create a modular input manually - https://dev.splunk.com/enterprise/docs/devtools/python/sdk-python/howtousesplunkpython/howtocreatemo...
3. Use add-on builder to create modular input - https://docs.splunk.com/Documentation/AddonBuilder/4.2.0/UserGuide/ConfigureDataCollection
![](/skins/images/89D5ADE867CBAF0B5A525B7E23D83D7E/responsive_peak/images/icon_anonymous_message.png)