The JSON path value from HTTP API input reads any JSON response of a REST resource and stores a field value as a Graylog message.

Configure the Input in Graylog

After launching your new input, configure the following fields based on your preferences: 

• Global

  • Click the Global check box to enable this input on all Graylog nodes, or keep it unchecked to enable the input on a specific node.

• Node

  • Select the node on which to start this input. If the Global check box is selected, this option is not available.

• Title

  • Provide a unique name for your input.

• URI of JSON resource

  • Enter the URI for a resource that returns JSON on an HTTP request.

• Interval

  • Set the time between every collector run. The time unit is set in the next field.

    Example: If you set the Interval to 5 and the Interval time unit to minutes, then the collector runs every 5 minutes.

• Interval time unit

  • Select a time unit from the drop-down menu.

• JSON path of data to extract

  • Use standard JSON notation to enter the path to the value you want to extract from the JSON response. See the Use Case below for more detail.

• Message source

  • Enter what to use as the source field of the resulting message.

• Enable Throttling

  • Enables Graylog to stop reading new data for this input whenever the system falls behind on message processing and needs to catch up.

• HTTP method (optional)

  • Select the HTTP method to use for the requests from the drop-down menu. The default value is GET.

• HTTP body (optional)

  • Enter the HTTP body for requests. If you choose POST or PUT for HTTP method, this field is required instead of optional.

• HTTP content type (optional)

  • Select the content type for requests. If you choose POST or PUT for HTTP method, this field is required instead of optional.

• Additional, sensitive HTTP headers (optional)

  • Add a comma-separated list of HTTP headers containing sensitive information. For example, use this field to enter authorization credentials. Example: Authorization: Bearer <token>

• Additional HTTP headers (optional)

  • Add a comma separated list of additional HTTP headers. Example: Accept: application/json, X-Requester: Graylog

• Override source (optional)

  • By default, the source is a hostname derived from the received packet. You can override the default value with a custom string. This option allows you to optimize the source for your specific needs.

• Encoding (optional)

  • All messages need to support the encoding configured for the input. For example, UTF-8 encoded messages should not be sent to an input configured to support UTF-16.

• Flatten JSON

  • Select this option to flattened the whole JSON. The result is returned as message fields.

source = github ,jsonpath = $.download_count, interval time unit = Minutes

Use Case

Let’s try to read the download count of a release package stored on GitHub for analysis in Graylog. The call looks like this:

$ curl -XGET https://api.github.com/repos/YourAccount/YourRepo/releases/assets/12345
{
  "url": "https://api.github.com/repos/YourAccount/YourRepo/releases/assets/12345",
  "id": 12345,
  "name": "somerelease.tgz",
  "label": "somerelease.tgz",
  "content_type": "application/octet-stream",
  "state": "uploaded",
  "size": 38179285,
  "download_count": 9937,
  "created_at": "2013-09-30T20:05:01Z",
  "updated_at": "2013-09-30T20:05:46Z"
}

The attribute we want to extract is download_count so we set the JSON path to $.download_count.

The result is a message in Graylog that looks like this:

You can use Graylog to analyze your download counts now.

Use JSONPath

JSONPath can do much more than allow you to select a simple known field value. You could, for example, utilize JSONPath to select the first download_count from a list of releases where the field state has the value uploaded:

$.releases[?(@.state == 'uploaded')][0].download_count

or only the first download count at all:

$.releases[0].download_count

You can learn more about JSONPath in the documentation.