All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk REST API JSON Parsing

thufirtan
Engager
‎08-26-2013 08:05 PM

Hi, I am querying a REST API which returns JSON data. The JSON contains multiple results which I would like to break up into events. The metadata provides general information about the API call. Please advise on how I can do this? I am not interested in the metadata information but just want the results broken down as events to index. Thanks!

{"_metadata":[{"totalCount":9940102,"count":5,"limit":5,"offset":0,"status":"ok"}],"results":[{ "_id" : "1", "type":"apple"}, {"_id" : "2", "type":"banana"}, "_id":"3", "type":"apple"}]}

0 Karma
Reply

rturk
Builder
‎08-26-2013 08:29 PM

Hi Thufirtan,

Splunk recognises JSON natively. Taking your sample event (and putting an opening brace '{' before the last result declaration) I am able to search and report on the events:

Sample event:

{"_metadata":[{"totalCount":9940102,"count":5,"limit":5,"offset":0,"status":"ok"}],"results":[{ "_id" : "1", "type":"apple"}, {"_id" : "2", "type":"banana"}, {"_id":"3", "type":"apple"}]}

Search:

source="json_sample.txt" | rename results{}._id AS id, results{}.type AS type | stats count by type

Results:

alt text

Now let's say you have multiple events, and a timestamp in the returned response.

Sample Events:

{"_metadata":[{"timestamp":1377581422,"totalCount":9940102,"count":5,"limit":5,"offset":0,"status":"ok"],"results":[{"_id" : "1", "type":"apple"},{ "_id" : "2", "type":"banana"},{ "_id":"3","type":"apple"}]}

{"_metadata":[{"timestamp":1377581622,"totalCount":9566547,"count":6,"limit":6,"offset":0,"status":"ok"],"results":[{"_id" : "4", "type":"apple"},{ "_id" : "5", "type":"banana"},{ "_id":"6","type":"apple"}]}

By setting up your props.conf, you should be able to parse this automatically:

props.conf

[fruity_json]
BREAK_ONLY_BEFORE=^{
SHOULD_LINEMERGE=true
TIME_FORMAT=$s
TIME_PREFIX="timestamp":

This will give you two distinct events and reliably extract the timestamp 🙂 I believe this would be considered best practice for defining events in Splunk.

References:
Index Multiline Events, spath (JSON field extraction). props.conf

This probably won't address all of your follow up questions, but has hopefully put you on the right track 🙂

Reply

rturk
Builder
‎08-28-2013 07:17 AM

If this has answered your question, please be sure to mark it as answered so people with similar issues can find the solution as well 🙂

0 Karma
Reply

rturk
Builder
‎08-27-2013 05:27 AM

Hi thufirtan - I've edited the answer to address this question for you.

0 Karma
Reply

thufirtan
Engager
‎08-26-2013 10:28 PM

hi, that sort of works. how about if one of the fields is a timestamp as well? is there a way to split up the records before indexing or is this the best method? thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

The Splunk Community Dashboard Challenge is still happening, and it's not too late to enter for the week of ...