Home

Results 1 to 6 of 6

Thread: REST API event query need date time range

  1. #1
    steven cjhsiao NNTP User

    REST API event query need date time range


    We are planing to send the incident to our own Help Desk system. We need
    the incident handler can search the incident related events from our
    Help Desk system by Sentinel REST API.

    I have studied the Sentinel REST API , and can list the event by
    "Events - Event List and Create Methods".

    ie.
    https://164.99.19.131:8443/SentinelR.../objects/event

    Howerver, this event list only have 4 parameters, including: query,
    field, page, pagesize. We can't submit the datetime range by this
    method. How can we submit the event list query with datetime range by
    Sentinel REST API? or, any other method can be use to submit the search
    query with datetime range then get the related event?

    In addition, every time I submit the event list query by REST API, the
    'Too many open files' error message will come out in server0.0.log.

    Tue Aug 28 23:18:23 CST
    2012|INFO|Thread-697013|esecurity.ccs.comp.audit.AuditLogger.execut e
    Audit Medium:: Action by user admin via Sentinel service
    Indexed Search object Events method EventSearch client 127.0.0.1
    succeeded : Event Search: Type USER, DATE-RANGE: Whenever,
    MAX-EVENTS=100,000, QUERY-EXPRESSION=[sev\:1],
    SECURITY-FILTER=[<empty>], TAGS-FILTER=[<empty>],
    INTERNAL-EVENT-FILTER=[<empty>], with XDAS taxonomy name:
    XDAS_AE_QUERY_DATA_ITEM_CONTENTS
    Tue Aug 28 23:18:24 CST
    2012|SEVERE|pool-153-thread-5|esecurity.ccs.comp.event.indexedlog.IndexedLogSe archJob$PartitionHitsRetrieverTask.call
    IO Error performing search for the day Jul 12, 2012 (UTC).;
    Exception
    /var/opt/novell/sentinel/data/eventdata/events/20120712_6E1CCA35-4BD4-102D-91CD-000C2907C76D/index/_0.fdx
    (Too many open files); java.io.FileNotFoundException;
    Tue Aug 28 23:18:24 CST
    2012|SEVERE|pool-153-thread-5|esecurity.ccs.comp.event.indexedlog.IndexedLogSe archJob$PartitionHitsRetrieverTask.call
    java.io.FileNotFoundException:
    /var/opt/novell/sentinel/data/eventdata/events/20120712_6E1CCA35-4BD4-102D-91CD-000C2907C76D/index/_0.fdx
    (Too many open files)

    Regards,
    Steven


    --
    steven_cjhsiao
    ------------------------------------------------------------------------
    steven_cjhsiao's Profile: https://forums.netiq.com/member.php?userid=544
    View this thread: https://forums.netiq.com/showthread.php?t=2965


  2. #2
    pblanchard NNTP User

    Re: REST API event query need date time range


    There is a way to specify the date/time range via the objects/event
    request (by adding ?query=_starttime_.e<time>.a_endtime_.e<time>), but
    the preferred method is to use the objects/event-search API. (BTW, the
    query syntax for ?query= is NOT the Lucene syntax).

    Creating an Event Search object allows more control over the search job
    parameters, including using Lucene syntax for the actual query.

    Basically, you POST a new Event Search object, then GET the object
    using the resulting URL. In the Event Search object is a URL that you
    can use to GET the first page of the actual event results.

    See https://<your
    server>:8443/SentinelRESTServices/apidoc/en/api-ref/Events/event-search-create.html

    Also, if you are going to use Java there is client-side code that makes
    it all a lot easier.

    Perin Blanchard

    steven_cjhsiao;12559 Wrote:
    > We are planing to send the incident to our own Help Desk system. We need
    > the incident handler can search the incident related events from our
    > Help Desk system by Sentinel REST API.
    >
    > I have studied the Sentinel REST API , and can list the event by
    > "Events - Event List and Create Methods".
    >
    > ie.
    > https://164.99.19.131:8443/SentinelR.../objects/event
    >
    > Howerver, this event list only have 4 parameters, including: query,
    > field, page, pagesize. We can't submit the datetime range by this
    > method. How can we submit the event list query with datetime range by
    > Sentinel REST API? or, any other method can be use to submit the search
    > query with datetime range then get the related event?
    >
    > In addition, every time I submit the event list query by REST API, the
    > 'Too many open files' error message will come out in server0.0.log.
    >
    > Tue Aug 28 23:18:23 CST
    > 2012|INFO|Thread-697013|esecurity.ccs.comp.audit.AuditLogger.execut e
    > Audit Medium:: Action by user admin via Sentinel service
    > Indexed Search object Events method EventSearch client 127.0.0.1
    > succeeded : Event Search: Type USER, DATE-RANGE: Whenever,
    > MAX-EVENTS=100,000, QUERY-EXPRESSION=[sev\:1],
    > SECURITY-FILTER=[<empty>], TAGS-FILTER=[<empty>],
    > INTERNAL-EVENT-FILTER=[<empty>], with XDAS taxonomy name:
    > XDAS_AE_QUERY_DATA_ITEM_CONTENTS
    > Tue Aug 28 23:18:24 CST
    > 2012|SEVERE|pool-153-thread-5|esecurity.ccs.comp.event.indexedlog.IndexedLogSe archJob$PartitionHitsRetrieverTask.call
    > IO Error performing search for the day Jul 12, 2012 (UTC).;
    > Exception
    > /var/opt/novell/sentinel/data/eventdata/events/20120712_6E1CCA35-4BD4-102D-91CD-000C2907C76D/index/_0.fdx
    > (Too many open files); java.io.FileNotFoundException;
    > Tue Aug 28 23:18:24 CST
    > 2012|SEVERE|pool-153-thread-5|esecurity.ccs.comp.event.indexedlog.IndexedLogSe archJob$PartitionHitsRetrieverTask.call
    > java.io.FileNotFoundException:
    > /var/opt/novell/sentinel/data/eventdata/events/20120712_6E1CCA35-4BD4-102D-91CD-000C2907C76D/index/_0.fdx
    > (Too many open files)
    >
    > Regards,
    > Steven



    --
    pblanchard
    ------------------------------------------------------------------------
    pblanchard's Profile: https://forums.netiq.com/member.php?userid=2132
    View this thread: https://forums.netiq.com/showthread.php?t=2965


  3. #3
    steven cjhsiao NNTP User

    Re: REST API event query need date time range


    Hi Perin

    Thank you for your response. I am waitting for a long time.

    I don't see the document that you mention. http://tinyurl.com/9zwe3j6

    I only see this API document that similar with Event Search Create,
    http://tinyurl.com/8jd8esb . Is this is your advice of Creating an Event
    Search object? I was tried to use this method, but always got a Not
    Authorized error message, even I login by admin user.

    I am using PHP right now, but if you have the Java sample code for this
    Event Search function, it will be appreciate.

    Many thanks!

    Steven


    --
    steven_cjhsiao
    ------------------------------------------------------------------------
    steven_cjhsiao's Profile: https://forums.netiq.com/member.php?userid=544
    View this thread: https://forums.netiq.com/showthread.php?t=2965


  4. #4
    steven cjhsiao NNTP User

    Re: REST API event query need date time range


    Hi Perin

    The error message return after calling Event search create is below.

    ["Reason"]=>
    object(stdClass)#7 (1) {
    ["Text"]=>
    string(43) "Insufficient permission for user 'Unknown'."
    }

    Steven


    --
    steven_cjhsiao
    ------------------------------------------------------------------------
    steven_cjhsiao's Profile: https://forums.netiq.com/member.php?userid=544
    View this thread: https://forums.netiq.com/showthread.php?t=2965


  5. #5
    steven cjhsiao NNTP User

    Re: REST API event query need date time range


    Hi Perin

    I had found the reason why "Insufficient permission for user 'Unknown'"
    error return when create event search.
    The X-SAML Token be overrided by other HTTP header parameters in my PHP
    script.

    I had successfully created the event search with datetime range and
    Lucene filter, and then get the search result finally.

    Thank you for your advice.

    Regards,
    Steven


    --
    steven_cjhsiao
    ------------------------------------------------------------------------
    steven_cjhsiao's Profile: https://forums.netiq.com/member.php?userid=544
    View this thread: https://forums.netiq.com/showthread.php?t=2965


  6. #6
    pblanchard NNTP User

    Re: REST API event query need date time range


    Glad you got it working.


    --
    pblanchard
    ------------------------------------------------------------------------
    pblanchard's Profile: https://forums.netiq.com/member.php?userid=2132
    View this thread: https://forums.netiq.com/showthread.php?t=2965


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •