Splunk Search

Is it possible to export a JSON file through a search result and send the file to a remote location outside Splunk?

Explorer

I have a requirement to export a JSON file to a remote location. The file would be a feed to REST, which performs some action.
I am a beginner here and trying to explore the various capabilities I can achieve via Splunk.
Prompt response would be highly appreciated.

Cheers!!!!

SplunkTrust
SplunkTrust

Sure you can export data to JSON from splunk:
alt text

If you're looking to automate the process, everything from the REST API is in JSON format, so just learn how to use the REST API instead:

http://dev.splunk.com/restapi

0 Karma

Explorer

Hey Jkat,
Any Idea for the implementation using Java?

0 Karma

SplunkTrust
SplunkTrust

sorry but I dont write/speak java often enough to have splunk examples. I recommend starting with the SDK:; http://dev.splunk.com/java

I also recommend using python instead because its almost always installed contrary to java.

0 Karma

Explorer

OK,
So lets talk about next step.
Supposing we have the code for exporting the json to remote dir.
How shall we proceed next.
I mean do we need to deploy the code in the Splunk hosting server?
Please help me to follow this.

0 Karma

SplunkTrust
SplunkTrust

You would deploy the code wherever you want to execute the code and change the URL you call in the code accordingly. If the splunk server is at splunkserver.mydomain.com, then you'd update the url in your code/configuration as such, and make sure the firewall ports were open.

Since your end goal is to drop the JSON on a remote server, you might consider running the code on that remote server and dropping the JSON to the filesystem there. If the destination of the JSON is another API, then you could just as easily PUSH / PUT the JSON into the destination's API.

0 Karma

Explorer

Hey Jkat,
It was a typo for JASON :).My Apology.
Do you have Python script handy which I can use to get the json export for required search from the remote machine.
Perhaps I can simulate it in java.

0 Karma

Explorer

Thanks Jkat for your prompt response.

Yes, I wish to automate the process.
1.Want to run a search.
2.Save the search result in JASON format .
3.Send the file to remote location.

0 Karma

SplunkTrust
SplunkTrust

Its JSON not JASON. JASON = boys name, JSON = JavaScript Object Notation

0 Karma

SplunkTrust
SplunkTrust

For that you will need to follow the restapi tutorial as it explains how to get an authentication token and run a search using curl:

http://docs.splunk.com/Documentation/Splunk/6.4.1/RESTTUT/RESTsearches

I prefer to use python and requests/url2lib/url3lib. Here's a snippet of a python function to get the security key:

import requests, re, json

def getSession(username,password):
 uri = "https://localhost:8089/services/auth/login"
 r = requests.get(uri, data={'username':username,'password':password}, verify=False)
 sessionkey = re.sub('"',"",json.dumps(re.sub('<response>\n\s+<sessionKey>|<\/sessionKey>\n<\/response>\n',"",r.text)))
 return sessionkey

And then here is a snippet of using that key in conjuction with with requests.post():

  uri = "https://localhost:8089/services/SOME_ENDPOINT"
  headers = {'Authorization':''}
  headers['Authorization'] = 'Splunk ' + getSession("username","password")
  data="json data the endpoint expects"
  r = requests.post(uri, headers=headers, data=data, verify=False)
0 Karma