AutomationGeek Frequent Contributor.
Frequent Contributor.
175 views

Execute Query via ESM REST API?

Jump to solution

I have the following simple query that executes cleanly and provides results when used on the Event Search page of ArcSight Command Center 6.11.

deviceVendor  = "ACME"       and
deviceProduct = "ForceField" and
sourceAddress = "10.10.10.10"

What I'd like to do is use the ESM REST API from a Python program to execute the same query. Can anyone tell me what I need to do to make this happen? Thank you.

 

Python Automation
0 Likes
1 Solution

Accepted Solutions
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Execute Query via ESM REST API?

Jump to solution

Easiest is to attach a queryviewer over it and use the API to fetch it.

I have a few topics in which I have answered that before, so please check this one for examples:

https://community.microfocus.com/t5/ArcSight-User-Discussions/ArcSight-ESM-API-for-Getting-the-Query-Viewer-Data/m-p/1687030#M45999

-----------------------------------------------------------------------------------------
All topics and replies made is based on my personal opinion, viewpoint and experience, it does not represent the viewpoints of MicroFocus.
All replies is based on best effort, and can not be taken as official support replies.
//Marius
0 Likes
2 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Execute Query via ESM REST API?

Jump to solution

Easiest is to attach a queryviewer over it and use the API to fetch it.

I have a few topics in which I have answered that before, so please check this one for examples:

https://community.microfocus.com/t5/ArcSight-User-Discussions/ArcSight-ESM-API-for-Getting-the-Query-Viewer-Data/m-p/1687030#M45999

-----------------------------------------------------------------------------------------
All topics and replies made is based on my personal opinion, viewpoint and experience, it does not represent the viewpoints of MicroFocus.
All replies is based on best effort, and can not be taken as official support replies.
//Marius
0 Likes
AutomationGeek Frequent Contributor.
Frequent Contributor.

Re: Execute Query via ESM REST API?

Jump to solution

Thank you @Marius2.  I had struggled with the "QueryViewerService/getMatrixData" request earlier, but got it to work by renaming "qvs.resourceId" to "qvs.id".  Here's the snippet:

def _arcst_request(path, payload={}, action="POST",
                   stem=_ARCST_URL):
    # Wrapper code around requests here....

def arcst_srch1(query, pageSize=500):
    payload = {
        "mss.search1": {
            "mss.authToken":            _ARCST_SESSION_ID,
            "mss.queryStr":             query,
            "mss.pageSize":             pageSize,
        },
    }

    return _arcst_request("ManagerSearchService/search1", payload)

def arcst_get_query_viewer(qvsresourceid):
    payload = {
        "qvs.getMatrixData": {
            "qvs.authToken":    _ARCST_SESSION_ID,
            "qvs.id":           qvsresourceid,
        }
    }

    return _arcst_request("QueryViewerService/getMatrixData", payload)

if __name__ == "__main__":
    # ...

    ret_limit = 5
    query = "GLR"
    ret = arcst_srch1(query, ret_limit)

    # Find the UUID of the QueryViewer we want
    vwrname = "GLR QryVwr 01"
    hits    = ret.get("mss.search1Response", {}).get("mss.return", {}).get("searchHits", [])
    uuid    = None
    for rec in hits:
        if rec.get("name") != vwrname:
            continue
        uuid    = rec.get("uuid")
        break

    if not uuid:
        sys.exit("Unable to find Query Viewer '%s'" % vwrname)


    ret = arcst_get_query_viewer(uuid)
    # We have our data now ...
Python Automation
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.