Re: When building a modular input, how to index JS...

apezuela · ‎04-09-2018

Hi,

I am building a modular input using Add-on Building and python.
When I am trying to index JSON data I get this error: "ERRORcannot serialize {u'rule-number': 1, u'type': u'access-rule..."

Any clue about this issue?

The relevant portion of code is:

res =  json.load(response)   
 rules = res['rulebase']
 for rule in rules:
            event = helper.new_event(source=helper.get_input_type(), index=helper.get_output_index(), sourcetype=helper.get_sourcetype(), data=rule)
        ew.write_event(event)

Best regards,

AndersNierhoff · ‎10-22-2018

Hi,

Have you looked at the structure of the raw data ? Splunk modular input is sending data as a xml, and therefor you json parsing fails. i am myself unsure how this is expected to work.

raw event
2018-10-22T13:05:51.329000+0200{'test': 'Issue', 'time': '2018-10-22T13:05:51.329000+0200'}

real event
{'test': 'Issue', 'time': '2018-10-22T13:05:51.329000+0200'}

related post
https://answers.splunk.com/answers/693177/parsing-of-splunk-modular-input-with-json-data.html

smoir_splunk · ‎08-15-2018

try json.dump before you write the events

p_gurav · ‎04-09-2018

This may help:
https://answers.splunk.com/answers/620832/error-execprocessor-message-from-scriptpy-error-ca.html

When building a modular input, how to index JSON data?

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Are you a member of the Splunk Community?

When building a modular input, how to index JSON data?

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar