1. xMatters
  2. Community
  3. Integrations & Toolchains

Get xMatters event data into Splunk

Michael Gaskin
Not Yet Reviewed

The xMatters REST API allows us to get data about events and their properties in JSON format. Wouldn't it be great if we could bring that data into Splunk, so that we can search and display it any way we want? 

I think this could be accomplished using the REST API Modular Input app for Splunk, which would go out and poll the xMatters API every few minutes. 

Now here's my question: by default, the xMatters URL /api/xm/1/events?embed=properties returns all non-archived events. We don't need to get all of those events every time; we just need the new ones that have been created since the last polling interval. Is there a way to limit our API call so that we only get events within a certain timeframe (e.g., last 5 minutes?)

0

Comments

6 comments
Date Votes

Please sign in to leave a comment.

  • Travis Depuy

    Hey Michael!

       Yep, that should work great. I'd love to see any dashboards or use cases on what you do with that data. (Feel free to drop me an email tdepuy at xmatters.com if you'd rather not post here)

    Anyway, the GET /events has a "from" and "to" parameter that take a GMT time in the format YYY-MM-DDThh:mm:ss.ssssZ. Something like this:

    GET /events?from=2017-05-01T14:00:00.000Z&to=2017-05-01T19:00:00.000Z

    Give that a whirl and let us know how it goes!

    Happy Monday!

     

    0
  • Michael Gaskin

    Hi Travis, 

    Thanks for the quick response. It seems like the "from" and "to" parameters would work great if we were doing a one-time upload of the JSON data into Splunk; I was thinking more in terms of relative time, because if I'm not mistaken, hard-coding the "from" and "to" times into the Splunk input will always give us the events that occurred between those times, when what we really want is to get new events on an ongoing basis. 

    0
  • Travis Depuy

    Ah interesting. Generally the platforms have a way to calculate the date and send that as a parameter. Is this the App you are talking about?

    It looks like they have one token implemented: $datetoday$, but digging in a little more, it looks like you can edit the bin/tokens.py file. I'm not an expert in python, but with some poking around I came up with this untested snippet you might try adding:

    def datetimenow():
        now = datetime.datetime.utcnow()
        return now.strftime('%Y-%m-%dT%H:%M:%SZ')


    def datetime2hrsago():
    	then = datetime.datetime.utcnow() - datetime.timedelta(hours=2)
    	return then.strftime('%Y-%m-%dT%H:%M:%SZ')

    Then reboot splunk or whatever it takes. Then it looks like you can form your endpoint URL to be:

    /api/xm/1/events?from=$datetimenow$&to=$datetime2hrsago$

    That should make it a "dynamic" url. In theory. Maybe?

    0
  • Michael Gaskin

    Yes, now we're on the right track. I'll look into what you came up with; I also found this article here:

    https://docs.splunk.com/Documentation/AddonBuilder/2.2.0/UserGuide/ConfigureDataCollection#Use_checkpoints_for_incremental_data_collection

    Which describes exactly the sort of thing we're trying to do. 

    0
  • Johnny Ritzer

    is there a way that this could say stream to a HEC input or like a logging as events come in streaming  (instead of API pull query) just a thought ;)

    0
  • Michael Gaskin

    Agreed, that would be a way better to do it. 

    0

Didn't find what you were looking for?

New post