JSON Path from HTTP API Input

The JSON path value from HTTP API input reads any JSON response of a REST resource and stores a field value as a Graylog message.

Hint: This input can only target JSON primitive value nodes (numbers, text, strings, etc.) and not object and array nodes.

Configure the Input in Graylog

After launching your new input, configure the following fields based on your preferences: 

  • Global

    • Click the Global check box to enable this input on all Graylog nodes, or keep it unchecked to enable the input on a specific node.

  • Node

    • Select the node on which to start this input. If the Global check box is selected, this option is not available.

  • Title

    • Provide a unique name for your input.

  • URI of JSON resource

    • Enter the URI for a resource that returns JSON on an HTTP request.

  • Interval

    • Set the time between every collector run. The time unit is set in the next field.

      Example: If you set the Interval to 5 and the Interval time unit to minutes, then the collector runs every 5 minutes.

  • Interval time unit

    • Select a time unit from the drop-down menu.

  • JSON path of data to extract

    • Use standard JSON notation to enter the path to the value you want to extract from the JSON response. See the Use Case below for more detail.

  • Message source

    • Enter what to use as the source field of the resulting message.

  • Enable Throttling

    • Enables Graylog to stop reading new data for this input whenever the system falls behind on message processing and needs to catch up.

  • HTTP method (optional)

    • Select the HTTP method to use for the requests from the drop-down menu. The default value is GET.

  • HTTP body (optional)

    • Enter the HTTP body for requests. If you choose POST or PUT for HTTP method, this field is required instead of optional.

  • HTTP content type (optional)

    • Select the content type for requests. If you choose POST or PUT for HTTP method, this field is required instead of optional.

  • Additional, sensitive HTTP headers (optional)

    • Add a comma-separated list of HTTP headers containing sensitive information. For example, use this field to enter authorization credentials. Example: Authorization: Bearer <token>

  • Additional HTTP headers (optional)

    • Add a comma separated list of additional HTTP headers. Example: Accept: application/json, X-Requester: Graylog

  • Override source (optional)

    • By default, the source is a hostname derived from the received packet. You can override the default value with a custom string. This option allows you to optimize the source for your specific needs.

  • Encoding (optional)

    • All messages need to support the encoding configured for the input. For example, UTF-8 encoded messages should not be sent to an input configured to support UTF-16.

  • Flatten JSON

    • Select this option to flattened the whole JSON. The result is returned as message fields.

Copy
source = github ,jsonpath = $.download_count, interval time unit = Minutes

Use Case

Let’s try to read the download count of a release package stored on GitHub for analysis in Graylog. The call looks like this:

Copy
$ curl -XGET https://api.github.com/repos/YourAccount/YourRepo/releases/assets/12345
{
  "url": "https://api.github.com/repos/YourAccount/YourRepo/releases/assets/12345",
  "id": 12345,
  "name": "somerelease.tgz",
  "label": "somerelease.tgz",
  "content_type": "application/octet-stream",
  "state": "uploaded",
  "size": 38179285,
  "download_count": 9937,
  "created_at": "2013-09-30T20:05:01Z",
  "updated_at": "2013-09-30T20:05:46Z"
}

The attribute we want to extract is download_count so we set the JSON path to $.download_count.

The result is a message in Graylog that looks like this:

You can use Graylog to analyze your download counts now.

Use JSONPath

JSONPath can do much more than allow you to select a simple known field value. You could, for example, utilize JSONPath to select the first download_count from a list of releases where the field state has the value uploaded:

Copy
$.releases[?(@.state == 'uploaded')][0].download_count

or only the first download count at all:

Copy
$.releases[0].download_count

You can learn more about JSONPath in the documentation.