Highlighted
Respected Contributor.. Respected Contributor..
Respected Contributor..
669 views

REST Flexconnector url query with START_AT_TIME

Jump to solution

Hello,

I have problem with using START_AT_TIME in request URL.

If I want to use START_AT_TIME variable in request URL, everytime connector has problem with this URL, everytime 400 bad request ERROR. 

Someone has experience with it?

If I use URL request without timestamp (START_AT_TIME) It works.

Does not work (agent.properties):

agents[0].eventsurl=http\://10.123.123.123\:9200/logs/auditlog/_search?q\=ended\:\[$START_AT_TIME+TO+*\]
agents[0].startattime=2019-07-30T06\:00\:00.235Z

Works (agent.properties):

agents[0].eventsurl=http\://10.123.123.123\:9200/logs/auditlog/_search?_size=1000
agents[0].startattime=2019-07-30T06\:00\:00.235Z

 

But I do not want duplicates in events, I need use timestamp (START_AT_TIME) in URL request.

 

I also tried restutil for testing, there is necessarily use URL encoding but response without 400 are only hits with nothing (total 0) or with all events from responding application (not filtered).

Regards,

Jan Sevela

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Respected Contributor.. Respected Contributor..
Respected Contributor..

Hello,

for correct using START_AT_TIME, It is necessary correctly using at agent.properties:
timestamp_format_of_api_vendor

and in my URL query was problem with char "+"

bad URL:
http://10.123.123.123:9200/logs/auditlog/_search?q=ended:[$START_AT_TIME+TO+*]

good URL:
http://10.123.123.123:9200/logs/auditlog/_search?q=ended:[$START_AT_TIME TO *]

Regards,
Jan Sevela

View solution in original post

0 Likes
8 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Why did you use a backslash in the URL? There is no such thing in the development guide. Did you do the mapping for deviceReceiptTime?

Can you provide a working URL for querying the events with start time option?

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.
0 Likes
Highlighted
Respected Contributor.. Respected Contributor..
Respected Contributor..

Hello,

Backslashes in the URL in agent.properties are added automatic after start connector.  

Yes, at parser I set deviceReceiptTime from events.

Working query for Browser, restutil or FlexConnector?

For FlexConnector i have not found any working query.

For browser for example:

http://10.123.123.123:9200/logs/auditlog/_search?q=ended:[%222019-08-04T06:00:00.235Z%22+TO+*]

For restuil only example with all events from endpoint:

C:\arcsight\connectors\flex_rest\current\bin>arcsight restutil execute -url "htt
p://10.123.123.123:9200/logs/auditlog/_search?q=ended%3a%5b%222019-07-29T06%3a00%
3a00.235Z%22+TO+%2a%5d"

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

As I can see, the date is enclosed by double-quotes. can you try the following?

agents[0].eventsurl=http://10.123.123.123:9200/logs/auditlog/_search?q=ended:["$START_AT_TIME"+TO+*]
agents[0].startattime=2019-07-30T06:00:00.235+02:00

Please use the latest connector and check the documentation for the startattime value format.

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.
0 Likes
Highlighted
Respected Contributor.. Respected Contributor..
Respected Contributor..

Sorry, 

Response of your idea at agent.log:

400 Bad request.

 

About Connector, I using the latest version and reading the latest documentation.

Jan Sevela

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Can you see what URL the connector sends to the API? It should be somewhere in the agent.log. Maybe you can compare it to a working URL.

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.
0 Likes
Highlighted
Respected Contributor.. Respected Contributor..
Respected Contributor..

Hello,

yes I compared it, I tried a lot of combinations. Any combinations works at browser but not in connector.

Jan

0 Likes
Highlighted
Respected Contributor.. Respected Contributor..
Respected Contributor..

Hello,

Anyone have any idea what else can I do with it?

Regards,
Jan Sevela

0 Likes
Highlighted
Respected Contributor.. Respected Contributor..
Respected Contributor..

Hello,

for correct using START_AT_TIME, It is necessary correctly using at agent.properties:
timestamp_format_of_api_vendor

and in my URL query was problem with char "+"

bad URL:
http://10.123.123.123:9200/logs/auditlog/_search?q=ended:[$START_AT_TIME+TO+*]

good URL:
http://10.123.123.123:9200/logs/auditlog/_search?q=ended:[$START_AT_TIME TO *]

Regards,
Jan Sevela

View solution in original post

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.