Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I unzip a file when pulling it from REST API?

tamduong16
Contributor
‎10-27-2017 09:06 AM

So the rest API that I set up in Splunk will go out to this rest endpoint and the file that it will receive is a zip file. Inside this zip file, there are 2 CSV files but I only need to index 1 file (in this case, the file name is ENDPOINT_CDR_DETAIL_ALL_CSV). But I only see 3 options for the response type which is text, xml, and json. Does Splunk have an option for us to set may be a response handler to unzip the file and only index 1 file out of the 2?

The name and form of the file:
alt text

Content inside the zip file:
alt text

Preview file
4 KB
Preview file
6 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Damien_Dallimor
Ultra Champion
‎10-27-2017 09:07 PM

In rest_ta/bin/responsehandlers.py add a custom response handler , pseudo example : 

class ZipFileResponseHandler:

def __init__(self,**args):
    self.csv_file_to_index = args['csv_file_to_index']

def __call__(self, response_object,raw_response_output,response_type,req_args,endpoint):
    import zipfile,io,re
    file = zipfile.ZipFile(BytesIO(response_object.content))
    for info in file.infolist():
        if re.match(self.csv_file_to_index, info.filename):
            filecontent = file.read(info)
            print_xml_stream(filecontent)

In your config stanza , apply this handler :

alt text

The csv_file_to_index parameter value in this example is a python regex such as :

  1. ENDPOINT_CDR_DETAIL_ALL_CSV\.csvfor an exact filename to extract from the zip
  2. .*CDR_DETAIL.*\.csv$ for a pattern for the filename(s) to extract from the zip

View solution in original post

Preview file
64 KB
Reply
Solved! Jump to solution
Solution

Damien_Dallimor
Ultra Champion
‎10-27-2017 09:07 PM

In rest_ta/bin/responsehandlers.py add a custom response handler , pseudo example : 

class ZipFileResponseHandler:

def __init__(self,**args):
    self.csv_file_to_index = args['csv_file_to_index']

def __call__(self, response_object,raw_response_output,response_type,req_args,endpoint):
    import zipfile,io,re
    file = zipfile.ZipFile(BytesIO(response_object.content))
    for info in file.infolist():
        if re.match(self.csv_file_to_index, info.filename):
            filecontent = file.read(info)
            print_xml_stream(filecontent)

In your config stanza , apply this handler :

alt text

The csv_file_to_index parameter value in this example is a python regex such as :

  1. ENDPOINT_CDR_DETAIL_ALL_CSV\.csvfor an exact filename to extract from the zip
  2. .*CDR_DETAIL.*\.csv$ for a pattern for the filename(s) to extract from the zip
Preview file
64 KB
Reply
Solved! Jump to solution

tamduong16
Contributor
‎11-14-2017 01:28 PM

This is my version of the code:

class ZipFileResponseHandler:

def __init__(self,**args):
    pass

def __call__(self, response_object, raw_response_output, response_type, req_args, endpoint):
    file = zipfile.ZipFile(StringIO.StringIO(response_object.content))
    for name in file.namelist():
        if "ENDPOINT" in name:
            data =file.read(name)
            data = data.split('\n')
            for element in data[1:]:
                print_xml_stream(element)
0 Karma
Reply
Solved! Jump to solution

Damien_Dallimor
Ultra Champion
‎10-27-2017 12:52 PM

I suggest using the REST API Modualr Input and plugging in a custom response handler to perform the unzipping for you and any other pre processing you require.

Here is an example in another answer.

Reply
Solved! Jump to solution

tamduong16
Contributor
‎10-27-2017 01:58 PM

Could you give me more information as how do I make the handler give the specific file to the indexer

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-27-2017 09:50 AM

Hi

can you please let me how you call REST API, using the script or anything else ??

0 Karma
Reply
Solved! Jump to solution

tamduong16
Contributor
‎10-27-2017 10:17 AM

I was able to download the rest api from splunk but for now, I'm not using any script yet. Do you think I could do this by writing a script that could run every minute to go to the url api? Again if the script allows me to unzip the file and pick what file I want. Thanks!

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-29-2017 10:42 PM

Yes,
you can create scripted input which downloads and extracts files for you.

Create inputs.conf in your app and put below configuration in file.

[script:///opt/splunk/etc/app/yourapp/bin/scriptedfile.py]
disabled = 0
interval = 60

This will run file every 60 secs. You can change as per your requirement.

Create bin/scriptedfile.py and do code for REST API (file download ) and extraction of files.

Scripted Input docs:
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/AdvancedDev/ScriptedInputsIntro

0 Karma
Reply
Solved! Jump to solution

tamduong16
Contributor
‎10-27-2017 09:40 AM

Or if REST API couldn't do this. Is there any alternative way?

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...