Re: REST API Modular Input Add-on: Is it possible ...

tnerkar_splunk · ‎02-24-2017

I am using oauth2, as the authentication type. My data currently gets parsed as either, into 1 event alone
or the parser treats each line as a separate event.

The data from the curl output appears as

 [
    {
        "count": 6495, 
        "kind": "Host", 
        "next": "https://mycompany.com/api/v1.0/data/search?results_id=<>=search+Host+show+name%2C+%23InferredElement%3AInference%3AAssociate%3ADiscoveryAccess.endpoint+as+%27Scanned+via%27%2C+os%2C+os_class+as+%27OS+Class%27%2C+os_type+as+%27OS+Type%27%2C+os_version+as+%27OS+Version%27%2C+model+as+%27Model%27%2C+vendor+as+%27Hardware+Vendor%27&offset=1000&limit=1000&format=object", 
        "next_offset": 1000, 
        "offset": 0, 
        "results": [
            {
                "Hardware Vendor": "VMware, Inc.", 
                "Model": "VMware Virtual Platform", 
                "OS Class": "Windows", 
                "OS Type": "Windows", 
                "OS Version": "Server 2012 R2", 
                "Scanned via": "10.000.000.111", 
                "name": "abc-atydv-002", 
                "os": "Microsoft Windows Server 2012 R2 Standard Version 6.3.9600 Build 9600"
            }, 
            {
                "Hardware Vendor": "HP", 
                "Model": "ProLiant DL360p Gen8", 
                "OS Class": "Windows", 
                "OS Type": "Windows", 
                "OS Version": "Server 2012 R2", 
                "Scanned via": null, 
                "name": "abc-ENTDC-001", 
                "os": "Microsoft Windows Server 2012 R2 Standard Version 6.3.9600 Build 9600"
            }, 
            {
                "Hardware Vendor": "HP", 
                "Model": "ProLiant DL360p Gen8", 
                "OS Class": "Windows", 
                "OS Type": "Windows", 
                "OS Version": "Server 2012 R2", 
                "Scanned via": null, 
                "name": "efg-ENTDC-002", 
                "os": "Microsoft Windows Server 2012 R2 Standard Version 6.3.9600 Build 9600"
            }
],
"results_id": "abc="
    }

Thanks,
Tejal

bmacias84 · ‎02-24-2017

The quest answer is yes you can. This requires you to build your on response handler in Python. If you read the inputs.conf.spec you will see a settings called response_hander, Python classname of custom response handler. For more examples open responsehandlers.py which is located in the bin directory. You will see a number of custom handlers.

Basically you are going to have to write some python.

tnerkar_splunk · ‎02-27-2017

Here is my CustomHandler, added in responsehandlers.py

class MyCustomHandler:

 def __init__(self,**args):
     pass

 def __call__(self, response_object,raw_response_output,response_type,req_args,endpoint):
     if response_type == "json":        
         output = json.loads(raw_response_output)

         for server in output["results"]:
             print_xml_stream(json.dumps(server))                      
     else:
         print_xml_stream(raw_response_output)

It errors out as:

02-27-2017 16:21:08.563 -0800 ERROR ExecProcessor - message from "python /Applications/Splunk/etc/apps/rest_ta/bin/rest.py" for server in output["results"]:
02-27-2017 16:21:08.563 -0800 ERROR ExecProcessor - message from "python /Applications/Splunk/etc/apps/rest_ta/bin/rest.py" TypeError: list indices must be integers, not str

I only want to capture the data/events after "results"

tnerkar_splunk · ‎02-28-2017

Further update. I was able to resolve the issue.

aaraneta_splunk · ‎04-20-2017

@tnerker - Would you be able to provide the answer your issue so that others can know what you did and we can close out your question?

REST API Modular Input Add-on: Is it possible to parse data from ADDM reporting REST API?

Here is my CustomHandler, added in responsehandlers.py

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?