Run distributed search
Karl90 opened this issue · 6 comments
Hi!
First of all, thanks for creating this SDK, I do think that is really useful.
Actually this is not an issue but question about the usage of the search function, this is its definition:
def search(host, authtoken, query, search_id, **kwargs):
"""Start a background search job.
Args:
host (string): Hostname of Logger
authtoken (string): Token for the current session
query (string): Which query to run
search_id (int): The search_id to be generated for the search
**kwargs: All arguments marked as optional in documentation
Returns:
json: If successful returns a sessionId, this ID is only
related if you want to find the running search
on the ArcSight Logger web interface. This is not related
to the search_id provided by the user.
"""
url = '/server/search'
payload = {
'search_session_id': search_id,
'user_session_id': authtoken,
'query': query,
**kwargs
}
response = post(host, url, data=payload)
From what I can see, you can submit the optional params as keyword args, which is great,
However, I'm not able to set the local_search parameter properly, For instance:
distributed_search = "'local_search':false"
loggersdk.search(HOST, authtoken, CHART_QUERY, SEARCH_ID, distributed_search)
No matter what I do, always the search is run locally. Do you know how can I set the params properly on these kind of functions?
Thanks in advance,
Karl.
Hi,
Thanks to you for the implementation and for your prompt response :-)
I'd say that the capital letter is not the issue, I tried again and still runs locally.
if you take a look on the documentation:
For instance, I have also tried with a simple POST request through curl:
curl -k https://<LOGGER_SERVER>:<LOGGER_PORT>/server/search -H "Content-Type: application/json ; charset=UTF-8" -d '{
"user_session_id": "<TOKEN>",
"search_session_id": <SEARCH_ID>,
"local_search": false,
"field_summary": true,
"query": "<QUERY>
"start_time": "<START>",
"end_time": "<END>",
"timeout": 240000
}'
And that worked, Please, can you take a look on it?
I think that the key is passing the additional params on the search function properly.
Thanks in advance,
Karl.
Hi,
Small update, I was not testing properly, I'm sorry. This is the execution output:
loggersdk.search(HOST, authtoken, QUERY, SEARCH_ID, "'local_search': false")
TypeError: search() takes 4 positional arguments but 5 were given
Do you know how can I pass the additional params on the search?
thanks!
regards,
Karl.
Hey @Karl90
Now that I am not on the phone anymore, it was much easier to debug a bit!
The capital letter does actually matter, though it was not the issue in this specific case.
Python handles Boolean only with capital letters first, and the type of the object sent does actually matter.
Example:
Python 3.6.6 (v3.6.6:4cf1f54eb7, Jun 27 2018, 03:37:03) [MSC v.1900 64 bit (AMD64)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> X = false
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
NameError: name 'false' is not defined
>>> X = False
>>>
Now to the actual issue!
kwargs are sent to functions a bit differently than usual, without taking that into consideration it actually thinks that you are sending it an additional positional argument.
I created a sdkexample project, to show all the integrations here:
https://github.com/arcsight-unofficial/arcsight-logger-api-sdkexample/blob/master/client.py#L130
If you take a look at the way i create and utilize the kwargs, it will resolve your issue! The solution is the double star at the start of the name.
Hi!
Thanks for the detailed explanation!
"The capital letter does actually matter, though it was not the issue in this specific case."
Yes, it does but for Python, I was referring to what the logger expects.
You're right, now the code works:
Thadistributed_search = {"local_search": False}
loggersdk.search(HOST, authtoken, QUERY, SEARCH_ID, **distributed_search)
Note that I've been forced to use the boolean python False, otherwise it fails.
Thanks a lot for your help!
regards,
Karl.
Great to hear that it works!
Indeed the logger does not expect the text "false", it expects the Boolean value of false. So it was important to change it so that python creates it as a Boolean value, instead of a string/variable value.
Let me know if any other issues arise!