API monitoring using splunk

Question

I have one API : [GET] http:localhost:8080/myservice/fetchdetails. Now, I want to raise splunk alert whenever this API is down for any reason.

So, I have my search query as |eval ['http:localhost:8080/myservice/fetchdetails'] | search status=20* to monitor the API.

But it is not fetching me any result. What should be the search query such that it makes a get call to the API and then capture the response status?

What are you trying to accomplish? What does your data look like? — warren
@warren: I am trying to call a get API and check the status of the API, and subsequently trigger an alert based upon the status. — Shadab
that...doesn't really explain at all what you're trying to do. What does your data look like? What API are you trying to use? What have you tried? Elaborate your whole use case into the question, complete with what you've tried, sample data, and expected output. — warren
@warren: the response data is a JSON. Primarily , I am trying to make a get call from the search query and capture the result, then raise a splunk alert on filtering the result. — Shadab

warren warren · Accepted Answer · 2021-04-01T18:40:27

Based on your expanded question, you're going to need to actually get that REST endpoint's data into Splunk

There are at least two ways to do this

First - use the REST API Modular Input and ingest data from the endpoint. If you don't get data within some timeframe...send an Email.

Second - create your own scripted input that periodically hits your endpoint (maybe with wget or curl), and reports an HTTP status code into Splunk. Your Alert can then check to see if the code isn't 200 (or whatever else you want to consider "valid"). If it's "invalid", send an email.

API monitoring using splunk

2 Answers