Data type for cURL with JSON response

msn2507 · ‎05-25-2013

Data source for my requirement is coming from HTTP request. I can fetch the data in command line using CURL command and seeking help on how to import that same in Splunk. The response expected is in json format.

I am going through the reference - http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/Spath but it doesnt specify on how to import the data. Any help on how to feed splunk with CURL data would be great.

For example, my request in command line is like - curl "http://finance.google.com/finance/info?client=ig&q=NASDAQ%3aGOOG"

and the response - // [ { "id": "694653" ,"t" : "GOOG" ,"e" : "NASDAQ" ,"l" : "873.32" ,"l_cur" : "873.32" ,"s": "0" ,"ltt":"4:00PM EDT" ,"lt" : "May 24, 4:00PM EDT" ,"c" : "-9.47" ,"cp" : "-1.07" ,"ccol" : "chr" } ]

msn2507 · ‎05-27-2013

Guys, any help ?

msn2507 · ‎05-26-2013

Thanks for your reply. I am going down the path of scripted input as importutil doesnt support cURL.

I have couple of questions

I am following this reference to extract the fields but the search (sourcetype="count_size" | spath output=myfield path=text.size) doesnt yield anything for a response like this -

{"text": {
"data": "Click here",
"size": 36,
"data": "Learn more",
"size": 37,
"data": "Help",
"size": 38,
}
os_version : "10.9,
updated_at : "2013-05-27T04:24:57Z",
user_string : ""
}

Please help me construct an spath search for json response.

How do I tell Splunk to capture only the delta data of the request instead of capturing the entire response for every fetch ?

Ayn · ‎05-25-2013

importutil should do just what you want.

If you want to setup a more permanent input, you should set up a scripted input that uses for instance curl to get the data and then echoes it back into Splunk.

Data type for cURL with JSON response

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability