Define REST settings

In this step, we'll continue to configure the REST settings for the data input.

Create Data Input wizard: Define & Test

  1. On the Define the data input page, specify the properties of the REST URL.
    • REST URL: enter the base URL "https://api.nytimes.com/svc/search/v2/articlesearch.json".
    • REST method: select GET, which indicates the type of HTTP request to make.
    • REST URL parameters: add the name and value of each parameter as follows, clicking New parameter to create new lines as needed:
    • NameValueDescription
      q${query}A token value, using the internal name of the Query data input parameter, "query".
      api-key${__settings__.additional_parameters.api_key}A token value, using the internal name of the API key setup field, "api_key".
      sortnewestThe sorting direction.

      To access the values of input and setup parameters, we use tokens by surrounding the internal or variable name: "${name}". For more about using tokens and accessing parameter values, see the Splunk Add-on Builder User Guide:

      As you enter each parameter, the REST URL is built automatically. If you were to enter the complete REST URL, the individal REST URL parameters would be filled in automatically.

    • REST request headers: Leave these fields blank.
    • To verify the input is working, we need to enter some test values.

    • Under Data input parameters, you'll see any data input parameters you defined in the previous wizard step. In our example, the Query field is displayed, showing its internal name in parenthesis.
    • For testing purposes, enter a search term, such as "snow storm", to search articles for this phrase.

    • Click the Add-on Setup Parameters tab. You'll see any setup parameters you defined in the previous wizard step. In our example, the API key field is displayed, showing its internal name in parenthesis.
    • The New York Times requires an API key, so enter your own API key for testing.

    • Go back to the Data Input Definition tab, then click Test.
    • The Output pane displays the result of the request so you know it's working:

      Notice that the JSON response is an array, and it is treated as one single event. Splunk could index this data now, but the data would be hard to use without splitting the array into elements.

    • Expand Event extraction settings. Let's specify how to break the JSON payload into individual events. For JSON path, enter "response.docs", which is a JSON path to the array to use for breaking events.
    • Note that as soon as you enter the value, the "docs" section of the array is highlighted.

      For more, see JSON path formats in the Splunk Add-on Builder User Guide.

Now we have defined the basic settings of the REST request.

>>  Continue to Define a checkpoint.