This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

REST Query for Timeline

RSAAdmin
Beginner
Beginner

‎2015-05-07 11:05 AM

Hi everyone,

 

So we have been trying to come up with a good REST query (to either a Concentrator or Broker) to help enable a tool that can display a basic SA'ish chart/timeline. We already have these charts in SA which we monitor for device health, but we were trying to create a quicker interface for our analysts to use. Right now, the syntax of the charts is simple: select d.id where d.id exists. My issue is to how and get this same data in a useable format through REST. I can pull data related to d.id through REST, but that's about as far as I've got. I'm not sure how to then turn the JSON (or text, or xml) values into plottable points.

 

Any help is much appreciated.

 

Thanks!

0 Likes
2 REPLIES 2

RSAAdmin
Beginner
Beginner

‎2015-05-07 04:13 PM

Well, I'm not exactly sure I understand what the issue is.  Are you asking how to perform a timeline call over REST?

 

Here's a sample timeline, complete with parameters converted to a URL:

 

time1="2015-05-01 00:00:00" time2="2015-05-07 00:00:00" timezone=-4 size=2000 flags=sessions,order-ascending force-content-type=application/json

 

/sdk?msg=timeline&force-content-type=application/json&expiry=600&time1=2015-05-01%2000%3A00%3A00&time2=2015-05-07%2000%3A00%3A00&timezone=-4&size=2000&flags=sessions%2Corder-ascending

 

The results come back like so:

 

{

  "flags" : 1074200577,

  "results" : {

  "id1" : 1430424000,

  "id2" : 1430830800,

  "fields" : [

  {

  "id1" : 25070216159,

  "id2" : 25072315441,

  "count" : 2098367,

  "format" : 32,

  "type" : "hour",

  "flags" : 0,

  "group" : 0,

  "value" : 1430424000

  },

  {

  "id1" : 25072313630,

  "id2" : 25074928457,

  "count" : 2613014,

  "format" : 32,

  "type" : "hour",

  "flags" : 0,

  "group" : 0,

  "value" : 1430427600

  },

  {

  "id1" : 25074920118,

  "id2" : 25077955783,

  "count" : 3027329,

  "format" : 32,

  "type" : "hour",

  "flags" : 0,

  "group" : 0,

  "value" : 1430431200

  },

... and so on

 

The "count" is the number of sessions for each hour of time.  To plot, you would simply create a chart with the Y axis as session count and the X axis as your time period and plot them.  "value" for each json record is the hour (POSIX time, seconds since 1970).  Those are the two items to plot.

 

Make sense?

 

Scott

0 Likes

RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2015-05-08 08:14 AM

Hi Scott,

 

Yep, that is exactly what I was looking for. I think I was adding too many extra values to my REST call, and this one works perfectly. You save the day again!

 

Thanks

 

John

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.