Create OVH API#282
Conversation
Issue of OVH api connectivity
|
hi @ashivaakrishna, if you're looking for some assistance with the workflow itself, post something up in Discussions with what you're having trouble with and we'll see if we can help! |
|
Without knowing what you were specifically looking for, I added some questions an suggestions In-line on the PR. Feel free to discuss or clarify there. |
ChrisCollinsIBM
left a comment
ChrisCollinsIBM
left a comment
There was a problem hiding this comment.
Some questions and guidance left on the PR, I wasn't sure what you were having issues with so I tried to add helpful comments and questions as needed.
| </If> | ||
|
|
||
| <!-- Extract Stream ID --> | ||
| <Set path="/streamId" value="${/get_streams/body/streams[0]/id}" /> |
There was a problem hiding this comment.
You're accessing streams[0] here, do you possible need to iterate over multiple in the array?
| <Set path="/streamId" value="${/get_streams/body/streams[0]/id}" /> | ||
|
|
||
| <!-- Get Messages - View Search --> | ||
| <CallEndpoint url="${/serverurl}/api/views/search/messages" method="POST" savePath="/search_messages"> |
There was a problem hiding this comment.
Does this endpoint require authentication? You're using BasicAuthentication in the streams call, but none here.
| </If> | ||
|
|
||
| <!-- Get Universal Search Messages --> | ||
| <CallEndpoint url="${/serverurl}/api/search/universal/absolute?query=*&from=2025-01-23T15:34:49.000Z&to=2025-01-22T15:34:49.000Z&decorate=true&filter=streams:${/streamId}" method="GET" savePath="/search_universal"> |
There was a problem hiding this comment.
Same authorization question here, does this endpoint need auth?
Also, is a blank query= a required parameter in this API? & separates URL parameters so query here is empty.
I see you have hardcoded from/to dates here, I assume that's just for testing functionality so you'll eventually need to those to be dynamic so on each run you can save a new time window. It's usually best to take the timestamp of the last event you received as the next "from" value as relying on fixed windows is susceptible to time sync issues (always asking for a 1 minute window for example). It's best to ask for the timestamp of the last event (+1 millisecond possibly) to "now".
| @@ -0,0 +1,59 @@ | |||
| <?xml version="1.0" encoding="UTF-8" ?> | |||
| <Workflow name="Graylog_OVH" version="1.0" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V1"> | |||
There was a problem hiding this comment.
Update this to V2_1 so you can omit the source tag in postEvents, V2_1 is the latest schema.
| <Workflow name="Graylog_OVH" version="1.0" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V1"> | |
| <Workflow name="Graylog_OVH" version="1.0" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2_1"> |
| </If> | ||
|
|
||
| <!-- Get Universal Search Messages --> | ||
| <CallEndpoint url="${/serverurl}/api/search/universal/absolute?query=*&from=2025-01-23T15:34:49.000Z&to=2025-01-22T15:34:49.000Z&decorate=true&filter=streams:${/streamId}" method="GET" savePath="/search_universal"> |
There was a problem hiding this comment.
Also, if you will be iterating over streams, you'll need to persist a unique from timestamp for each stream to ensure you don't duplicate or miss data.
ChrisCollinsIBM
added
the
workflow-submission
2 participants
Issue of OVH api connectivity