Hi,
I am building a modular input using Add-on Building and python.
When I am trying to index JSON data I get this error: "ERRORcannot serialize {u'rule-number': 1, u'type': u'access-rule..."
Any clue about this issue?
The relevant portion of code is:
res = json.load(response)
rules = res['rulebase']
for rule in rules:
event = helper.new_event(source=helper.get_input_type(), index=helper.get_output_index(), sourcetype=helper.get_sourcetype(), data=rule)
ew.write_event(event)
Best regards,
Hi,
Have you looked at the structure of the raw data ? Splunk modular input is sending data as a xml, and therefor you json parsing fails. i am myself unsure how this is expected to work.
raw event
2018-10-22T13:05:51.329000+0200{'test': 'Issue', 'time': '2018-10-22T13:05:51.329000+0200'}
real event
{'test': 'Issue', 'time': '2018-10-22T13:05:51.329000+0200'}
related post
https://answers.splunk.com/answers/693177/parsing-of-splunk-modular-input-with-json-data.html
try json.dump before you write the events