REST APIs are one of the building blocks of the modern Internet, and most organisations use them to some extent. This means that they are a great source of data – and where there’s data, there’s a use case for Splunk! In this post, we will use the Salesforce status page as an example, but this can be applied to any API you can think of.

Before you can ingest the data from the API, you’ll want to investigate it. This can be done using a simple curl command with the url of the API, which will return a chunk of JSON formatted data. Using “2>/dev/null” with this command will filter out any errors. 

curl https://api.status.salesforce.com/v1/instances/EU32/status 2>/dev/null
A unix console showing a large, unreadable block of text.
The result of the curl command – hope you’ve got your reading glasses and a lot of patience to make sense of that!

As you can see, the result of that curl command is a huge chunk of text that is difficult to read. Luckily, a tool exists to make this easier on the eyes. jq is a simple utility that processes JSON in the command line. Once you have installed jq, getting readable output from a curl command is simple:

curl https://api.status.salesforce.com/v1/instances/EU32/status 2>/dev/null | jq
Output of a console, with neatly formatted JSON text
Output from the curl command when piped to jq – much easier to read!

Now that you can read the JSON, you might notice that you only want to see part of the output – jq also allows you to extract specific parts of the data, which you can do by including a path to that part of the JSON:

curl https://api.status.salesforce.com/v1/instances/EU32/status 2>/dev/null | jq '.Incidents[]'
Output of a console, with neatly formatted JSON text
output of the curl command, looking specifically at the Incidents section of the Salesforce status page

Or even more simply, you can query one specific line of the JSON: 

curl https://api.status.salesforce.com/v1/instances/EU32/status 2>/dev/null | jq '.status'
Output of a terminal, with neatly formatted JSON text
output of the above command

Once you’ve explored the API and know which parts of it you want to use, you are ready to ingest it into Splunk. There are several ways to do this, such as using a scripted input.

For 2021 we’ve committed to posting a new Splunk tip every week!

If you want to keep up to date on tips like the one above then sign up below:

Subscribe to our newsletter to receive regular updates from iDelta, including news and updates, information on upcoming events, and Splunk tips and tricks from our team of experts. You can also find us on Twitter and LinkedIn.

Subscribe

* indicates required

Posted by:Becky Nielsen

Becky is a certified Splunk Admin, who has been working for iDelta since graduating from CodeClan's Professional Software Development course in 2019. Previously an archivist at several institutions around the UK, she holds an MSc in Information Management and Preservation from the University of Glasgow.