quick_search
This REST API is a wrapper for Solr queries, which are used in the Investigation Dashboard. This command is similar to the search command, but has some improvements.
This API is available in Guardium v11.3 and later.
"15": "Failed Login - Alert and Quarantine if Repeated", "16": "5",To map the codes ("15" and "16", in this case) to the actual column names, use the getFieldsTitles API.
REST API syntax
POST
method.
Call this API as follows:
POST https://[Guardium hostname or IP address]:8443/restAPI/quick_search
Parameters
Parameter | Value type | Description |
---|---|---|
category | String | Required. The Guardium Solr collections. The categories generally map to the categories
that are shown in the Investigation dashboard UI. To view the valid categories, call this REST API with all of the required parameters but enter a clearly invalid value (for example, category=kookoo. Guardium returns all valid values for category. |
endTime | String | Search for records that were created before the specified endTime. The
time must be specified in the format:YYYYMMDD+HH:MM:SS . |
fetchSize | Integer | The maximum number of records returned by the API. |
filters | String | Filters consume input and produce a stream of tokens. Filters must be in a specific format,
for
example:
For more information about filters, see the Apache Solr Reference Guide > Schema and Indexing
Guide. |
firstPosition | Integer | The position in the result, Can be used together with fetchSize to iterate through the results. |
inputTZ | String | The initials of a timezone, such as UTC or EST. If provided, startTime
and endTime parameters are converted from that timezone to the Guardium
appliance's timezone before the search is executed. All date fields in the results are converted
from Guardium appliance's timezone to the inputTZ timezone provided before the results are returned.
To view the valid timezone codes, call this REST API with all of the required parameters but enter a clearly invalid value (for example, inputTZ=kookoo. Guardium returns all valid values for inputTZ. |
pivotBy | String | |
query | String | A Solr query. You can use this parameter to write free-form Solr query expressions. For more information, see the Apache Solr Reference Query Guide. |
startTime | String | Search for records that were created after the specified startTime.
The time must be specified in the format:YYYYMMDD+HH:MM:SS . |
summaryBy | String | Group results by the selected field code. You can specify up to 2 field title codes to
group by. Note: To map the field codes to column names, use the getFieldsTitles
API.
|
withFacets | String | Include facets in the search. For more information, see Investigation dashboard
for data or Investigation dashboard for files. Valid values are:
Default = 0. |
api_target_host | String |
Specifies the target hosts where the API executes. Valid values:
IP addresses must conform to the IP mode of your network. For dual IP mode, use the same IP protocol with which the managed unit is registered with the central manager. For example, if the registration uses IPv6, specify an IPv6 address. The hostname is independent of IP mode and can be used with any mode. |
Examples
curl -k --header "Authorization: Bearer <token>" -i -H "Content-Type: application/json" -X POST --data '
{"category": "ERROR", "inputTZ":"UTC","startTime": "20201019 00:00:01", "endTime": "20221225 10:11:11", *"filters":"name=Server&value=9.55.205.70&isGroup=false"* }
' <Guardium host>:8443/restAPI/quick_search" class="external-link" rel="nofollow">https://<Guardium host>:8443/restAPI/quick_search
...
...
{ "2": "DB2_ZZ7I", "13": "2022-03-23 10:02:45", "3": "9.55.205.70", "14": "SESSION_GUESS", "_shard_": "my_company.com", "6": "9.55.205.70", "7": "DB2", "8": "2022-03-23", "9": "14:02:45", "id": "3" }
curl -k --header "Authorization: Bearer <token>" -i -H "Content-Type: application/json" -X POST --data '
{"category": "ERROR", "inputTZ":"UTC","startTime": "20201019 00:00:01", "endTime": "20221225 10:11:11", "filters":"",*"query":"Server=9.55.205.70 AND DB_Type=DB2"*, "fetchSize": "1000"}
' https:/<Guardium host>:8443/restAPI/quick_search
...
...
{ "2": "DB2_ZZ7I", "13": "2022-03-23 10:02:45", "3": "9.55.205.70", "14": "SESSION_GUESS", "_shard_": "my_company.com", "6": "9.55.205.70", "7": "DB2", "8": "2022-03-23", "9": "14:02:45", "id": "3" }
Use the getFieldsTitles REST API to map the column codes to column names. For example:
curl -k --header "Authorization: Bearer <token>" -i -H "Content-Type: application/json" https://il-vm01.isslab.usga.ibm.com:8443/restAPI/fieldsTitles
...
...
"0": "lucene.field.category",
"1": "OS User",
"2": "DB User",
"3": "Client IP",
"4": "Source Program",
"5": "Client Host name",
"11;12": "Object Verb",
"6": "Server",
"7": "DB Type",
"8": "Date",
"9": "Time",
...