All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

REST API Modular Input

preben12
Communicator
‎11-14-2013 04:50 AM

I calling a remote http endpoint that returns xml in the form of

<AdaptersStatus xmlns="http://xx.xx/xxxx/services/monitoring">
   <Status>ERROR</Status>
   <Timestamp>2013-11-14T13:33:48</Timestamp>
   <MonitoredAdapterStatus>
      <Status>
         <Timestamp>2013-11-14T13:33:47</Timestamp>
         <ApplicationStatus>OK</ApplicationStatus>
         <ApplicationVersion>1.0.19</ApplicationVersion>
         <MonitoredRessources>
            <DisplayName>Route monitor :: audit-trail-Route</DisplayName>
            <Status>OK</Status>
         </MonitoredRessources>
         <MonitoredRessources>
             <DisplayName>Route monitor :: bam-route</DisplayName>
             <Status>OK</Status>
         </MonitoredRessources>
     </Status>
     <Configuration>
        <URL>http://xxxxxx:7003/audit-trail/status</URL>
        <AdapterName>audit-trail</AdapterName>
     </Configuration>
  </MonitoredAdapterStatus> 
</AdaptersStatus>

I'm actually only interested in indexing the first field and the field, in this case ERROR, 2013-11-14Tx, and a sourcetype that indicates what rest service has been called.

I figured out that if I do = | rex "(?i)<.*?>(?P\w+)(?=<)" I will get a Key value of the Status field, but how can i make rest_ta index that, and discard the rest of the xml response ?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Damien_Dallimor
Ultra Champion
‎11-14-2013 06:32 AM

The REST API Modular Input is generic ie: it can be used against any HTTP REST endpoint. So it has the ability to plugin custom response handlers for any custom pre-processing or formatting of your response data.

To do this you add a custom response handler class to etc/apps/rest_ta/bin/responsehandlers.py and in the stanza setup declare that this handler should be applied.

So you could write a handler to just strip out and index the elements you are interested in.

Very quick rough code : 

class MyCustomResponseHandler:

    def __init__(self,**args):
        pass

    def __call__(self, response_object,raw_response_output,response_type,req_args,endpoint):

        from xml.dom import minidom
        dom = minidom.parseString(raw_response_output)
        status = dom.getElementsByTagName('Status')
        timestamp = dom.getElementsByTagName('Timestamp')
        status[0].firstChild.nodeValue
        timestamp[0].firstChild.nodeValue

        processed_response_output = 'status='+status[0].firstChild.nodeValue+' timestamp='+timestamp[0].firstChild.nodeValue

        print_xml_stream(processed_response_output)

alt text

View solution in original post

Reply
Solved! Jump to solution
Solution

Damien_Dallimor
Ultra Champion
‎11-14-2013 06:32 AM

The REST API Modular Input is generic ie: it can be used against any HTTP REST endpoint. So it has the ability to plugin custom response handlers for any custom pre-processing or formatting of your response data.

To do this you add a custom response handler class to etc/apps/rest_ta/bin/responsehandlers.py and in the stanza setup declare that this handler should be applied.

So you could write a handler to just strip out and index the elements you are interested in.

Very quick rough code : 

class MyCustomResponseHandler:

    def __init__(self,**args):
        pass

    def __call__(self, response_object,raw_response_output,response_type,req_args,endpoint):

        from xml.dom import minidom
        dom = minidom.parseString(raw_response_output)
        status = dom.getElementsByTagName('Status')
        timestamp = dom.getElementsByTagName('Timestamp')
        status[0].firstChild.nodeValue
        timestamp[0].firstChild.nodeValue

        processed_response_output = 'status='+status[0].firstChild.nodeValue+' timestamp='+timestamp[0].firstChild.nodeValue

        print_xml_stream(processed_response_output)

alt text

Reply
Solved! Jump to solution

Damien_Dallimor
Ultra Champion
‎11-15-2013 04:26 AM

Cool, not bad for untested code 🙂

0 Karma
Reply
Solved! Jump to solution

preben12
Communicator
‎11-15-2013 03:58 AM

whoa - works like a charm 🙂

0 Karma
Reply
Solved! Jump to solution

preben12
Communicator
‎11-15-2013 02:59 AM

Thanks Damien
I'll give your suggestions a try.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...