Sample for /ariel/searches filter

IBM / api-samples

Samples code that uses QRadar API's

Apache License 2.0

198 stars 82 forks source link

Sample for /ariel/searches filter #7

Closed makefu closed 9 years ago

makefu commented 9 years ago

I am looking for a working sample how to use the filter parameter in the /ariel/searches path. I am trying to retrieve all searches which are neither "COMPLETED" nor "FAILED" without the need to query each search explicitly.

tosmun commented 9 years ago

/ariel/searches produces a list of search IDs only; additional information from /ariel/searchesis not provided. filter in this case just filters on the ID of the search.

The steps you would need to follow to get those of a particular status are: 1) Get list of search IDs from /ariel/searches For each ID: i) Query via /ariel/searches/{search_id} ii) If the status is not COMPLETED or FAILED, ignore it Since REST APIs are stateless by nature, you should expect/allow 404 response in the event a search is deleted while you are looking through them.

makefu commented 9 years ago

I still do not understand what i can do with the filter, the sample text states:

field_one = "String" and field_two > 42 or not field_three in (1, 2, 3)

The details state:

 Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

I tried a lot of combinations but i do not know what field names there are and what the primary use case was when spec'ing this functionality.

In the time being i already implemented exactly the same algo you proposed in an async fashion to speed up the process a bit. Besides COMPLETED and CANCELED i also had to check for Error 500 which happen to happen sometimes on the system.

tosmun commented 9 years ago

Like range, the filter parameter is something that is almost universally supported in the QRadar API framework where the response content contains a list. As a result, in some cases it is not as relevant as others. In all cases however, it applies directly to the response text that you receive from the endpoint to the nearest list structure (unless otherwise stated).

In this case (GET /ariel/searches) it just returns a list of Strings, so you can only filter on the String itself. You can target that field using the reserved name .. For example: . in ("02562134-3455-4bbc-8a18-a323c6cef781", "02d10253-dc8c-4e98-b60d-e5dc0f619b50")

In a more realistic case, you can filter on field contents, for example on GET /ariel/searches/events: name = "sourceip" The result will contain the sourceip column only:

{
  "columns": [
    {
      "indexable": true,
      "name": "sourceip",
      "argument_type": "JAVA_OBJECT"
    }
  ]
}

makefu commented 9 years ago

Everything makes sense now! I really hope this issue tracker becomes the universal source for all the undocumented Quirks in the Qradar API :+1:

Regards

K-Moss commented 9 years ago

Hi makefu, In addition to this issue tracker on the samples, there's also an API forum with various questions and answers over on developer works.. I also wanted to let you know that we are working on improving the API documentation available on the Knowledge Center for the next release to have improved content around filtering.