Anonymous_User Absent Member.
Absent Member.
1113 views

REST API event query need date time range


We are planing to send the incident to our own Help Desk system. We need
the incident handler can search the incident related events from our
Help Desk system by Sentinel REST API.

I have studied the Sentinel REST API , and can list the event by
"Events - Event List and Create Methods".

ie.
https://164.99.19.131:8443/SentinelRESTServices/objects/event

Howerver, this event list only have 4 parameters, including: query,
field, page, pagesize. We can't submit the datetime range by this
method. How can we submit the event list query with datetime range by
Sentinel REST API? or, any other method can be use to submit the search
query with datetime range then get the related event?

In addition, every time I submit the event list query by REST API, the
'Too many open files' error message will come out in server0.0.log.

Tue Aug 28 23:18:23 CST
2012|INFO|Thread-697013|esecurity.ccs.comp.audit.AuditLogger.execute
Audit Medium:: Action by user admin via Sentinel service
Indexed Search object Events method EventSearch client 127.0.0.1
succeeded : Event Search: Type USER, DATE-RANGE: Whenever,
MAX-EVENTS=100,000, QUERY-EXPRESSION=[sev\:1],
SECURITY-FILTER=[<empty>], TAGS-FILTER=[<empty>],
INTERNAL-EVENT-FILTER=[<empty>], with XDAS taxonomy name:
XDAS_AE_QUERY_DATA_ITEM_CONTENTS
Tue Aug 28 23:18:24 CST
2012|SEVERE|pool-153-thread-5|esecurity.ccs.comp.event.indexedlog.IndexedLogSearchJob$PartitionHitsRetrieverTask.call
IO Error performing search for the day Jul 12, 2012 (UTC).;
Exception
/var/opt/novell/sentinel/data/eventdata/events/20120712_6E1CCA35-4BD4-102D-91CD-000C2907C76D/index/_0.fdx
(Too many open files); java.io.FileNotFoundException;
Tue Aug 28 23:18:24 CST
2012|SEVERE|pool-153-thread-5|esecurity.ccs.comp.event.indexedlog.IndexedLogSearchJob$PartitionHitsRetrieverTask.call
java.io.FileNotFoundException:
/var/opt/novell/sentinel/data/eventdata/events/20120712_6E1CCA35-4BD4-102D-91CD-000C2907C76D/index/_0.fdx
(Too many open files)

Regards,
Steven


--
steven_cjhsiao
------------------------------------------------------------------------
steven_cjhsiao's Profile: https://forums.netiq.com/member.php?userid=544
View this thread: https://forums.netiq.com/showthread.php?t=2965

0 Likes
5 Replies
Anonymous_User Absent Member.
Absent Member.

Re: REST API event query need date time range


There is a way to specify the date/time range via the objects/event
request (by adding ?query=_starttime_.e<time>.a_endtime_.e<time>), but
the preferred method is to use the objects/event-search API. (BTW, the
query syntax for ?query= is NOT the Lucene syntax).

Creating an Event Search object allows more control over the search job
parameters, including using Lucene syntax for the actual query.

Basically, you POST a new Event Search object, then GET the object
using the resulting URL. In the Event Search object is a URL that you
can use to GET the first page of the actual event results.

See https://<your
server>:8443/SentinelRESTServices/apidoc/en/api-ref/Events/event-search-create.html

Also, if you are going to use Java there is client-side code that makes
it all a lot easier.

Perin Blanchard

steven_cjhsiao;12559 Wrote:
> We are planing to send the incident to our own Help Desk system. We need
> the incident handler can search the incident related events from our
> Help Desk system by Sentinel REST API.
>
> I have studied the Sentinel REST API , and can list the event by
> "Events - Event List and Create Methods".
>
> ie.
> https://164.99.19.131:8443/SentinelRESTServices/objects/event
>
> Howerver, this event list only have 4 parameters, including: query,
> field, page, pagesize. We can't submit the datetime range by this
> method. How can we submit the event list query with datetime range by
> Sentinel REST API? or, any other method can be use to submit the search
> query with datetime range then get the related event?
>
> In addition, every time I submit the event list query by REST API, the
> 'Too many open files' error message will come out in server0.0.log.
>
> Tue Aug 28 23:18:23 CST
> 2012|INFO|Thread-697013|esecurity.ccs.comp.audit.AuditLogger.execute
> Audit Medium:: Action by user admin via Sentinel service
> Indexed Search object Events method EventSearch client 127.0.0.1
> succeeded : Event Search: Type USER, DATE-RANGE: Whenever,
> MAX-EVENTS=100,000, QUERY-EXPRESSION=[sev\:1],
> SECURITY-FILTER=[<empty>], TAGS-FILTER=[<empty>],
> INTERNAL-EVENT-FILTER=[<empty>], with XDAS taxonomy name:
> XDAS_AE_QUERY_DATA_ITEM_CONTENTS
> Tue Aug 28 23:18:24 CST
> 2012|SEVERE|pool-153-thread-5|esecurity.ccs.comp.event.indexedlog.IndexedLogSearchJob$PartitionHitsRetrieverTask.call
> IO Error performing search for the day Jul 12, 2012 (UTC).;
> Exception
> /var/opt/novell/sentinel/data/eventdata/events/20120712_6E1CCA35-4BD4-102D-91CD-000C2907C76D/index/_0.fdx
> (Too many open files); java.io.FileNotFoundException;
> Tue Aug 28 23:18:24 CST
> 2012|SEVERE|pool-153-thread-5|esecurity.ccs.comp.event.indexedlog.IndexedLogSearchJob$PartitionHitsRetrieverTask.call
> java.io.FileNotFoundException:
> /var/opt/novell/sentinel/data/eventdata/events/20120712_6E1CCA35-4BD4-102D-91CD-000C2907C76D/index/_0.fdx
> (Too many open files)
>
> Regards,
> Steven



--
pblanchard
------------------------------------------------------------------------
pblanchard's Profile: https://forums.netiq.com/member.php?userid=2132
View this thread: https://forums.netiq.com/showthread.php?t=2965

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: REST API event query need date time range


Hi Perin

Thank you for your response. I am waitting for a long time.

I don't see the document that you mention. http://tinyurl.com/9zwe3j6

I only see this API document that similar with Event Search Create,
http://tinyurl.com/8jd8esb . Is this is your advice of Creating an Event
Search object? I was tried to use this method, but always got a Not
Authorized error message, even I login by admin user.

I am using PHP right now, but if you have the Java sample code for this
Event Search function, it will be appreciate.

Many thanks!

Steven


--
steven_cjhsiao
------------------------------------------------------------------------
steven_cjhsiao's Profile: https://forums.netiq.com/member.php?userid=544
View this thread: https://forums.netiq.com/showthread.php?t=2965

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: REST API event query need date time range


Hi Perin

The error message return after calling Event search create is below.

["Reason"]=>
object(stdClass)#7 (1) {
["Text"]=>
string(43) "Insufficient permission for user 'Unknown'."
}

Steven


--
steven_cjhsiao
------------------------------------------------------------------------
steven_cjhsiao's Profile: https://forums.netiq.com/member.php?userid=544
View this thread: https://forums.netiq.com/showthread.php?t=2965

0 Likes
Highlighted
Anonymous_User Absent Member.
Absent Member.

Re: REST API event query need date time range


Hi Perin

I had found the reason why "Insufficient permission for user 'Unknown'"
error return when create event search.
The X-SAML Token be overrided by other HTTP header parameters in my PHP
script.

I had successfully created the event search with datetime range and
Lucene filter, and then get the search result finally.

Thank you for your advice.

Regards,
Steven


--
steven_cjhsiao
------------------------------------------------------------------------
steven_cjhsiao's Profile: https://forums.netiq.com/member.php?userid=544
View this thread: https://forums.netiq.com/showthread.php?t=2965

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: REST API event query need date time range


Glad you got it working.


--
pblanchard
------------------------------------------------------------------------
pblanchard's Profile: https://forums.netiq.com/member.php?userid=2132
View this thread: https://forums.netiq.com/showthread.php?t=2965

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.