Re: When building a modular input, how to index JS...

apezuela · ‎04-09-2018

Hi,

I am building a modular input using Add-on Building and python.
When I am trying to index JSON data I get this error: "ERRORcannot serialize {u'rule-number': 1, u'type': u'access-rule..."

Any clue about this issue?

The relevant portion of code is:

res =  json.load(response)   
 rules = res['rulebase']
 for rule in rules:
            event = helper.new_event(source=helper.get_input_type(), index=helper.get_output_index(), sourcetype=helper.get_sourcetype(), data=rule)
        ew.write_event(event)

Best regards,

AndersNierhoff · ‎10-22-2018

Hi,

Have you looked at the structure of the raw data ? Splunk modular input is sending data as a xml, and therefor you json parsing fails. i am myself unsure how this is expected to work.

raw event
2018-10-22T13:05:51.329000+0200{'test': 'Issue', 'time': '2018-10-22T13:05:51.329000+0200'}

real event
{'test': 'Issue', 'time': '2018-10-22T13:05:51.329000+0200'}

related post
https://answers.splunk.com/answers/693177/parsing-of-splunk-modular-input-with-json-data.html

smoir_splunk · ‎08-15-2018

try json.dump before you write the events

p_gurav · ‎04-09-2018

This may help:
https://answers.splunk.com/answers/620832/error-execprocessor-message-from-scriptpy-error-ca.html

When building a modular input, how to index JSON data?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation