Splunk REST_API Check
The REST_API check fetches data from the request endpoint and analyzes the output with regular expressions to identify whether the data associated with the request matches the expected output.
Usage
<custom_item>
type : REST_API
description : [description]
request : [api endpoint name]
(optional) json_transform : [jq expression to transform results]
(optional) regex : [regular expression to reduce options]
(optional) expect : [regular expression that passes if found]
(optional) match_all : [YES|NO]
(optional) match_case : [YES|NO]
</custom_item>
request
The request field is the API endpoint name to fetch results from.
json_transform
(Optional) json_transform is a jq expression. Use it to transform and format json results returned from an endpoint. This is helpful for reducing output to only the fields required for assessment.
regex
(Optional) The regex field is used to filter the full configurations to a smaller set of lines of text based on the regular expression. You can use multiple regex to narrow down the searchable configuration.
expect
(Optional) For the expect field, if the regular expression matches a line of text, the check results as PASSED. If there are no matches, the check results as FAILED.
To indicate whether all lines need to match or that lines are case-sensitive, use the modifiers match_all or match_case, respectively.
match_all
(Optional) Set match_all to YES to require all lines of text to match the expectation, and not just a single line of text. If you set match_all to the default of NO, only one line must match for the check to pass.
match_case
(Optional) Set match_case to YES to make the comparison case-sensitive. Set match_case to the default of NO to make the comparison case-insensitive.
Example
<custom_item>
type : REST_API
description : "List projects"
request : "listProjects"
json_transform : ".[] | .projectId"
</custom_item>