This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Correct format of Netwitness REST API

Go to solution
RSAAdmin
Beginner
Beginner

‎2014-01-28 08:08 AM

Hi, I am using netwitness Decoder for log aggregation and trying to fetch data via REST interface for some internal reporting purpose.

I am trying to generate a values query. But i am stumbled up on forming the query in 2 formats

 

Format 1

http://IP:PORT/sdk?msg=values&id1=0&id2=0&size=200&flags=sort-total,order-descending&fieldName=ip.dst&where+event.type='XYZ'

 

Format 2

http://IP:PORT/sdk?msg=values&id1=0&id2=0&size=200&flags=sort-total,order-descending&fieldName=ip.dst&where=event.type='XYZ'

 

In format 1 we have where followed by + and in format 2 we have where followed by =

Both these queries give different result. What is the correct format? Should we use + after where or = after where?

 

Regards

DJ

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
RSAAdmin
Beginner
Beginner

‎2014-02-06 12:33 PM

where='XYZ' is the correct parameter.  Of course, everything must be URL encoded correctly.

View solution in original post

0 Likes
4 REPLIES 4

Go to solution
RSAAdmin
Beginner
Beginner

‎2014-02-06 12:33 PM

where='XYZ' is the correct parameter.  Of course, everything must be URL encoded correctly.

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2014-02-06 11:51 PM

Hi Scott, Thanks a ton for your reply.

Is there any public document where these REST end points are explained with some examples?

I checked the release notes and REST guide which is very abstract and no examples.

 

For example. REST guide says msg=query takes flags (i.e flags=<>) But order-ascending, sort-total give exception saying. Can't parse orderascending, sorttotal etc. I understood the flags for msg=values. But can't understand flags in msg=query

So what flags does it take? What are the usage of these flags?

 

Regards

DJ

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2014-02-07 03:51 PM

The only flags query supports are for debugging purposes.  Over the REST interface, those troubleshooting messages are discarded, so it's not possible to use them over REST.

 

From the SDK header files:

 

 

 

/* NetWitness Query Flags */

/**

* @brief    The following are used by the @ref NwQuery function.

* @see NwQuery

*/

enum NwQueryFlags

{

  NW_QUERY_FLAG_DEFAULT           = 0x0000, /**< Default standard behavior */

  NW_QUERY_FLAG_QUERY_LOG         = 0x4000  /**< Return a query log for debugging */

};

Go to solution
RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2014-02-07 10:02 PM

Ok. Thanks

 

Regards

DJ

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.