Hi,
I have been trying the REST modular input to ingest records from a couple of REST endpoints into Splunk in realtime. Installing a single instance of the rest_ta/ under the etc/apps directory and defining multiple input stanzas led to a high percentage of the records not being indexed into Splunk. Troubleshooting this, I can see the modular input queries the REST endpoints and retrieves all records, but when the records are print() to STDOUT, a high ratio are not indexed into Splunk. I could persist all the records though if I print() to a text file instead of STDOUT. Please note that I have implemented a custom authentication class and also a custom response handler.
Could you please let me know if having single rest_ta app to cater for multiple input stanzas is the appropriate? Also how could I troubleshoot and debug this STDOUT record loss as nothing shows up in splunkd.log after the modular input prints the records to STDOUT? How can I follow the record up after print()?
Thanks in advance.
... View more