How to obtain data through the FreshDesk API in RE...

gonzaloAgui · ‎03-26-2018

Hi,
I need to obtain data from FreshDesk through the FreshDesk API using a url param named "updated_since" (this is a datetime string with format "%Y-%m-%dT%H:%M:%SZ") like a checkpoint from the last ticket indexed. And adding 1 second to the checkpoint because otherwise the last ticket is doubled.
The problem is (I THINK) that the URL Arguments passed from the Response Handler to the rest.py change the format to this:

URL Arguments:
updated_since=1970-10-10 10:10:10

And this generate a Bad request to the API:
03-26-2018 16:27:32.652 -0300 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/rest_ta/bin/rest.py" HTTP Request error: 400 Client Error: Bad Request

My response handler script:

class FreshDeskResponseHandler:
    def __init__(self,**args):
        pass

    def __call__(self, response_object,raw_response_output,response_type,req_args,endpoint):

        if response_type == "json":
            output = json.loads(raw_response_output)
            datetime_format = '%Y-%m-%d %H:%M:%S'
            last_update_at = "1970-10-10 10:10:10"
            for freshdesk_event in output:
                print_xml_stream(json.dumps(freshdesk_event))
                if "updated_at" in freshdesk_event:
                    update_at_date = (freshdesk_event["updated_at"].replace("T", " "))[:-1]
                    if update_at_date > last_update_at:
                        update_one_sec = str(datetime.datetime.strptime(update_at_date, datetime_format) + datetime.timedelta(seconds=1))
                        update_one_sec = (update_one_sec.replace(" ", "T")) + str('Z')
                        last_update_at = update_one_sec
            if not "params" in req_args:
                req_args["params"] = {}

            req_args["params"]["updated_since"] = str(last_update_at.replace(" ", "T") + str('Z'))

        else:
            print_xml_stream(raw_response_output)

My inputs .conf:

[rest://TEST - input freshdeck]
auth_password = PASSWORD
auth_type = basic
auth_user = USERNAME
endpoint = https://DOMAIN.freshdesk.com/api/v2/tickets
http_method = GET
index_error_response_codes = 0
response_type = json
sequential_mode = 0
sourcetype = json_freshdesk
streaming_request = 0
cookies = _x_w=24_5
disabled = 0
host = fresh_desk_api
index = testfresh
polling_interval = 60
response_handler_args =
response_handler = FreshDeskResponseHandler
url_args = updated_since=1970-10-10 10:10:10

Has someone encountered a similar problem or knows a workaround to this?
Thanks in advance!

Damien_Dallimor · ‎03-26-2018

Are you able to get a trace of the actual HTTP GET request sent out , maybe using wireshark or something similar to capture it.

gonzaloAgui · ‎03-27-2018

Hi Damien, thank you for your quick response. I am trying to trace the http request but failing in the attempt. Could you guide me please? the instance of splunk is in a virtual machine Centos without graphical interface and I do not have access to the server that hosts it.
I have tried with tcpdump, netstat, lsof, iptraf without success.

Damien_Dallimor · ‎03-28-2018

Try using Splunk Stream 🙂 https://splunkbase.splunk.com/app/1809/

gonzaloAgui · ‎03-28-2018

I'm already configure splunk stream, but I still can't see the URL with the parameters or the body of the package.
I see data from this sources:

stream:Splunk_DNSIntegrity
stream:Splunk_DNSRequestResponse

stream:Splunk_SSLActivity

stream:Splunk_HTTPURI

stream:http

Is there something I'm missing? let me know if you need a sample of the events.

How to obtain data through the FreshDesk API in REST API Modular Input?

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk