Example: Running a RESTful Search
This example demonstrates the steps you need to follow to run a RESTful API search, from start to finish. It includes logging in, opening a search session, getting a list of events, closing the search session, and logging out.
Step 1: Log In and Get a User Session ID
Use the returned User Session ID in all requests in the rest of the user session.
https://<hostname>:<port>/core-service/rest/LoginService/login?login=username& password=password<ns3:loginResponse xmlns:ns2="http://ws.v1.service.core.product.arcsight.com/groupService/" xmlns:ns3="http://ws.v1.service.core.product.arcsight.com/loginService/" xmlns:ns4="http://ws.v1.service.core.product.arcsight.com/userService/"> <ns3:return>UDIWj3m-iGksVI_zSMViSdqF48r6DXpbTQpRQQiEbgw.</ns3:return> </ns3:loginResponse>
Step 2: Open a Search Session
Use the Search Session ID you specify here in all request in the rest of the session. You can have more than one Search Session per User session.
curl -k https://<hostname>:<port>/server/search -H "Content-Type: application/json ; charset=UTF-8" -d '{ "search_session_id" : 1399546550086, "user_session_id" : "UDIWj3m-iGksVI_zSMViSdqF48r6DXpbTQpRQQiEbgw.", "query" : "_deviceGroup IN [\"Logger Internal Event Device [cef_events]\"]", "start_time" : "2014-04-02T22:08:44.000-07:00", "end_time" : "2014-05-02T22:08:44.000-07:00", "field_summary":true }' { "sessionId" : "104857600" }
Step 3: Request the Desired Data
This example returns a list of events. You could make other calls such as status or histogram instead or as well.
curl -k https://<hostname>:<port>/server/search/events -H "Content-Type: application/json ; charset=UTF-8" -d '{ "search_session_id" : 1399546550086, "user_session_id" : "UDIWj3m-iGksVI_zSMViSdqF48r6DXpbTQpRQQiEbgw.", "fields" : ["deviceEventClassId", "destinationAddress", "deviceVendor", "deviceReceiptTime", "endTime", "baseEventCount", "deviceAddress"] }' { "fields" : [ { "name": "_rowId", "type": "string", "alias": "_rowId"}, {"name": "deviceEventClassId", "type": "string", "alias": "deviceEventClassId"}, {"name": "destinationAddress", "type": "string", "alias": "destinationAddress"}, {"name": "deviceVendor", "type": "string", "alias": "deviceVendor"}, {"name": "deviceReceiptTime", "type": "date", "alias": "deviceReceiptTime"}, {"name": "endTime", "type": "date", "alias": "endTime"}, {"name": "baseEventCount", "type": "number", "alias": "baseEventCount"}, {"name": "deviceAddress", "type": "string", "alias": "deviceAddress" } ], "results": [ ["3E8-0@Local", "TCP_NC_MISS", "192.0.2.1", " Blue Coat", 1277888507046, 1277888507046, 1, "192.0.2.9"], ["3E8-1@Local", "TCP_NC_MISS", "192.0.2.1", " Blue Coat", 1277888507046, 1277888507046, 1, "192.0.2.9"], ... ] }
Step 4: Close the Search Session
To identify the search session to close, use the Search Session ID and the User Session ID. After this, you can log out of the user session or open another one.
curl -k https://<hostname>:<port>/server/search/close -H "Content-Type: application/json ; charset=UTF-8" -d '{
"search_session_id" : 1399546550086,
"user_session_id" : "UDIWj3m-iGksVI_zSMViSdqF48r6DXpbTQpRQQiEbgw."
}'To end the user session, use the User Session ID as the auth token.
https://<hostname>:<port>/core-service/rest/LoginService/logout?authToken=
UDIWj3m-iGksVI_zSMViSdqF48r6DXpbTQpRQQiEbgw.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><ns3:logoutResponse xmlns:ns2="http://ws.v1.service.core.product.arcsight.com/groupService/" xmlns:ns3="http://ws.v1.service.core.product.arcsight.com/loginService/" xmlns:ns4="http://ws.v1.service.core.product.arcsight.com/userService/"/>