REST API Modular Input Add-on: Is it possible to p...

tnerkar_splunk · ‎02-24-2017

I am using oauth2, as the authentication type. My data currently gets parsed as either, into 1 event alone
or the parser treats each line as a separate event.

The data from the curl output appears as

 [
    {
        "count": 6495, 
        "kind": "Host", 
        "next": "https://mycompany.com/api/v1.0/data/search?results_id=<>=search+Host+show+name%2C+%23InferredElement%3AInference%3AAssociate%3ADiscoveryAccess.endpoint+as+%27Scanned+via%27%2C+os%2C+os_class+as+%27OS+Class%27%2C+os_type+as+%27OS+Type%27%2C+os_version+as+%27OS+Version%27%2C+model+as+%27Model%27%2C+vendor+as+%27Hardware+Vendor%27&offset=1000&limit=1000&format=object", 
        "next_offset": 1000, 
        "offset": 0, 
        "results": [
            {
                "Hardware Vendor": "VMware, Inc.", 
                "Model": "VMware Virtual Platform", 
                "OS Class": "Windows", 
                "OS Type": "Windows", 
                "OS Version": "Server 2012 R2", 
                "Scanned via": "10.000.000.111", 
                "name": "abc-atydv-002", 
                "os": "Microsoft Windows Server 2012 R2 Standard Version 6.3.9600 Build 9600"
            }, 
            {
                "Hardware Vendor": "HP", 
                "Model": "ProLiant DL360p Gen8", 
                "OS Class": "Windows", 
                "OS Type": "Windows", 
                "OS Version": "Server 2012 R2", 
                "Scanned via": null, 
                "name": "abc-ENTDC-001", 
                "os": "Microsoft Windows Server 2012 R2 Standard Version 6.3.9600 Build 9600"
            }, 
            {
                "Hardware Vendor": "HP", 
                "Model": "ProLiant DL360p Gen8", 
                "OS Class": "Windows", 
                "OS Type": "Windows", 
                "OS Version": "Server 2012 R2", 
                "Scanned via": null, 
                "name": "efg-ENTDC-002", 
                "os": "Microsoft Windows Server 2012 R2 Standard Version 6.3.9600 Build 9600"
            }
],
"results_id": "abc="
    }

Thanks,
Tejal

bmacias84 · ‎02-24-2017

The quest answer is yes you can. This requires you to build your on response handler in Python. If you read the inputs.conf.spec you will see a settings called response_hander, Python classname of custom response handler. For more examples open responsehandlers.py which is located in the bin directory. You will see a number of custom handlers.

Basically you are going to have to write some python.

tnerkar_splunk · ‎02-27-2017

Here is my CustomHandler, added in responsehandlers.py

class MyCustomHandler:

 def __init__(self,**args):
     pass

 def __call__(self, response_object,raw_response_output,response_type,req_args,endpoint):
     if response_type == "json":        
         output = json.loads(raw_response_output)

         for server in output["results"]:
             print_xml_stream(json.dumps(server))                      
     else:
         print_xml_stream(raw_response_output)

It errors out as:

02-27-2017 16:21:08.563 -0800 ERROR ExecProcessor - message from "python /Applications/Splunk/etc/apps/rest_ta/bin/rest.py" for server in output["results"]:
02-27-2017 16:21:08.563 -0800 ERROR ExecProcessor - message from "python /Applications/Splunk/etc/apps/rest_ta/bin/rest.py" TypeError: list indices must be integers, not str

I only want to capture the data/events after "results"

tnerkar_splunk · ‎02-28-2017

Further update. I was able to resolve the issue.

aaraneta_splunk · ‎04-20-2017

@tnerker - Would you be able to provide the answer your issue so that others can know what you did and we can close out your question?

REST API Modular Input Add-on: Is it possible to parse data from ADDM reporting REST API?

Here is my CustomHandler, added in responsehandlers.py

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life