quick_search

This REST API is a wrapper for Solr queries, which are used in the Investigation Dashboard. This command is similar to the search command, but has some improvements.

This API is available in Guardium v11.3 and later.

Note: The quick_search API returns codes that represent the titles of the columns (fields) in the returned tables. For example, quick_search might return the following rows:
"15": "Failed Login - Alert and Quarantine if Repeated",
        "16": "5",
To map the codes ("15" and "16", in this case) to the actual column names, use the getFieldsTitles API.

REST API syntax

This API is available only as a REST service with the POST method. Call this API as follows:
POST https://[Guardium hostname or IP address]:8443/restAPI/quick_search

Parameters

Parameter Value type Description
category String Required. The Guardium Solr collections. The categories generally map to the categories that are shown in the Investigation dashboard UI.

To view the valid categories, call this REST API with all of the required parameters but enter a clearly invalid value (for example, category=kookoo. Guardium returns all valid values for category.

endTime String Search for records that were created before the specified endTime. The time must be specified in the format:YYYYMMDD+HH:MM:SS.
fetchSize Integer The maximum number of records returned by the API.
filters String Filters consume input and produce a stream of tokens. Filters must be in a specific format, for example:
"filters":"name=Database&value=9.147.31.113:5.6.27&isGroup=false&name=DB User&value=SYSTEM&isGroup=false&name=Server&value=9.147.31.113&isGroup=false"
For more information about filters, see the Apache Solr Reference Guide > Schema and Indexing Guide.
firstPosition Integer The position in the result, Can be used together with fetchSize to iterate through the results.
inputTZ String The initials of a timezone, such as UTC or EST. If provided, startTime and endTime parameters are converted from that timezone to the Guardium appliance's timezone before the search is executed. All date fields in the results are converted from Guardium appliance's timezone to the inputTZ timezone provided before the results are returned.

To view the valid timezone codes, call this REST API with all of the required parameters but enter a clearly invalid value (for example, inputTZ=kookoo. Guardium returns all valid values for inputTZ.

pivotBy String  
query String A Solr query. You can use this parameter to write free-form Solr query expressions. For more information, see the Apache Solr Reference Query Guide.
startTime String Search for records that were created after the specified startTime. The time must be specified in the format:YYYYMMDD+HH:MM:SS.
summaryBy String Group results by the selected field code. You can specify up to 2 field title codes to group by.
Note: To map the field codes to column names, use the getFieldsTitles API.
withFacets String Include facets in the search. For more information, see Investigation dashboard for data or Investigation dashboard for files. Valid values are:
  • 0 (Off: Do not include facets)
  • 1 (On: Include facets )

Default = 0.

api_target_host String

Specifies the target hosts where the API executes. Valid values:
  • all_managed: execute on all managed units but not the central manager
  • all: execute on all managed units and the central manager
  • group:<group name>: execute on all managed units identified by <group name>
  • host name or IP address of a managed unit: specified from the central manager to execute on a managed unit.  For example, api_target_host=10.0.1.123.
  • host name or IP address of the central manager: specified from a managed unit to execute on the central manager. For example, api_target_host=10.0.1.123.

IP addresses must conform to the IP mode of your network. For dual IP mode, use the same IP protocol with which the managed unit is registered with the central manager. For example, if the registration uses IPv6, specify an IPv6 address. The hostname is independent of IP mode and can be used with any mode.

Examples

curl -k --header "Authorization: Bearer <token>" -i -H "Content-Type: application/json" -X POST --data '
{"category": "ERROR", "inputTZ":"UTC","startTime": "20201019 00:00:01", "endTime": "20221225 10:11:11", *"filters":"name=Server&value=9.55.205.70&isGroup=false"* }
' <Guardium host>:8443/restAPI/quick_search" class="external-link" rel="nofollow">https://<Guardium host>:8443/restAPI/quick_search
...
...
{ "2": "DB2_ZZ7I", "13": "2022-03-23 10:02:45", "3": "9.55.205.70", "14": "SESSION_GUESS", "_shard_": "my_company.com", "6": "9.55.205.70", "7": "DB2", "8": "2022-03-23", "9": "14:02:45", "id": "3" } 
curl -k --header "Authorization: Bearer <token>" -i -H "Content-Type: application/json" -X POST --data '
{"category": "ERROR", "inputTZ":"UTC","startTime": "20201019 00:00:01", "endTime": "20221225 10:11:11", "filters":"",*"query":"Server=9.55.205.70 AND DB_Type=DB2"*, "fetchSize": "1000"}

' https:/<Guardium host>:8443/restAPI/quick_search
...
...
{ "2": "DB2_ZZ7I", "13": "2022-03-23 10:02:45", "3": "9.55.205.70", "14": "SESSION_GUESS", "_shard_": "my_company.com", "6": "9.55.205.70", "7": "DB2", "8": "2022-03-23", "9": "14:02:45", "id": "3" } 

Use the getFieldsTitles REST API to map the column codes to column names. For example:

curl -k --header "Authorization: Bearer <token>" -i -H "Content-Type: application/json" https://il-vm01.isslab.usga.ibm.com:8443/restAPI/fieldsTitles
...
...
"0": "lucene.field.category",
"1": "OS User",
"2": "DB User",
"3": "Client IP",
"4": "Source Program",
"5": "Client Host name",
"11;12": "Object Verb",
"6": "Server",
"7": "DB Type",
"8": "Date",
"9": "Time",
...