Getting Data In

Can we get data from API in Splunk App on demand and without indexing it?

wazuhtest
Explorer

Hi,
Would it be possible to get data from an external RESTful API and draw the JSON results with Splunk element as charts or tables?
Thank you in advance

0 Karma
1 Solution

starcher
SplunkTrust
SplunkTrust

Yes you can make a custom search command to fetch and enhance your search data as fields.
https://docs.splunk.com/Documentation/Splunk/7.0.2/Search/Aboutcustomsearchcommands

View solution in original post

starcher
SplunkTrust
SplunkTrust

Yes you can make a custom search command to fetch and enhance your search data as fields.
https://docs.splunk.com/Documentation/Splunk/7.0.2/Search/Aboutcustomsearchcommands

wazuhtest
Explorer

I appreciate so much your quick response .
After reading those documents it's not quite clear for me how to enhance the JSON results as data fields in order to draw charts or tables with them even if I make a command for fetching the data with 'wget' or 'curl'. Please, could you give me more details about it?
Thank you for your help

0 Karma

starcher
SplunkTrust
SplunkTrust

You need to have some development skills. Preferably python. You want a streaming command to add fields to events. This is an example of adding/modifying fields on events as they pass through the command. The code to get such data from an api is additional you'd have to do.
https://github.com/georgestarcher/TA-esreplacefields/blob/master/bin/esreplacefields.py

0 Karma

wazuhtest
Explorer

Thank you so much, I will check it

0 Karma

wazuhtest
Explorer

Hi again @starcher, I've been checking out your scripts and I think there are some conceptual issues I'm still not getting. How could I retrieve those fetched jsons from the script to the Splunk app? And how could I draw, for example, a table with them if they're not indexed?
Lets say that I want to fetch data from - https://externfoo.bar/logs?page=1 when I press page 1 in the table, https://externfoo.bar/logs?page=2 when page 2 is pressed, and so. All in real time and on demand.
Thank you again for your help

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...