Getting Data In

What is the difference between single-instance and multiple-instance modular inputs for REST API?

Path Finder

Hi Dear Splunkers,

I am trying to develop a Modular Input for our REST API which will ingest some data from our API through a python script implementation. The idea is simple. The modular input will poll our REST API after some interval, fetch the data, and index it into Splunk.

However, I am confused about the concept of single-instance and multiple-instance modular inputs. What I have understood is that single-instance modular inputs can be configured only once by the user and there is only one instance of the python script running at any point. Our API has the same type of data so there is no need for the user to configure multiple inputs otherwise, as the same data will be duplicated and indexed by Splunk which will be wasteful, I believe.

Can someone explain to me the major difference between both types in easy terms, and also suggest which type of modular input I should create for my use case?

Thanking you all for taking the time to read this.


Get Updates on the Splunk Community!

There's No Place Like Chrome and the Splunk Platform

Watch On DemandMalware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

The Great Resilience Quest: 5th Leaderboard Update

The fifth leaderboard update for The Great Resilience Quest is out >> 🏆 Check out the ...

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...