The events API query provides a way to obtain summary information about the events generated for an account without having to first extract the individual events and performing the analysis.
Examples of the kind of analysis the events API include:
-
Number of SDP users that logged in over a specific timeframe
-
Percentage of firewall block vs. allow events
-
Show how many events (cardinality) were generated for each event type in the previous 30 days
These are the arguments that you can pass to the events api call to modify its operation:
-
accountID
-
measures
-
filters
-
dimensions
-
sort
-
timeFrame
This is the accountID for the account you are running the query against.
Note
Note: This account ID isn't shown in the Cato Management Application, instead it is the number in the URL for the Cato Management Application. For example, the account ID is 26 for the following URL: https://cc.catonetworks.com/#!/26/topology.
The measures
argument lets you define the fields you want the events
query to examine and the way the results should be aggregated. For each field you want to analyze, you must define the following:
-
fieldName - defines the field that you want to aggregate
-
aggType - defines how you want the aggregation to be performed (e.g. count_distinct)
The following example shows the measures
syntax for a query that returns the sum of the event_count fields:
"measures": [ {"fieldName":"event_count","aggType":"sum"} ]
The filters
argument lets you define a filter that will result in only a limited subset of the events being examined. For each filter you must define the following:
-
fieldName - defines the name of field that you want to filter
-
operator - defines the filter operation that should be used to filter the field
-
values - defines the filter value that is used with the operator
Here is an example of the filters argument used to select only events with an event_type of Security:
"filters": [ { "fieldName": "event_type", "operator": "is", "values": ["Security"] } ]
Use the dimensions
argument to group fields with the same values into summary rows.
Here is an example that groups the files according to the event_type:
"dimensions": [ {"fieldName": "event_type"} ]
The sort
argument defines how the returned data is to be sorted. Here is an example usage of the sort argument
'sort': [ {'fieldName': 'event_count', 'order': 'desc'}, {'fieldName': 'event_type', 'order': 'asc'} ]
Defines the timeframe
of the query. This is specified using the format defined by the ISO 8601 specification. Here is an example of how you would specify the time-frame for the past 30 days:
"timeFrame": "last.P30D"
Note
Notes:
-
The maximum length of time that can be specified for the timeFrame argument is currently 89 days.
-
The actual ISO 8601 specification can be obtained here, but it is not free. You can also refer to this Wikipedia article for more information to understand how to define this argument.
query events( $accountID: ID!, $measures: [EventsMeasure], $dimensions: [EventsDimension], $filters: [EventsFilter!], $sort: [EventsSort!], $timeFrame: TimeFrame!, $limit: Int, $from: Int) { events( accountID: $accountID timeFrame: $timeFrame measures: $measures dimensions: $dimensions filters: $filters sort: $sort ) { id from total records(limit: $limit, from: $from) { fieldsMap } } }
{ "accountID": "1234", "measures": [ { "fieldName": "event_sub_type", "aggType": "count_distinct" } ], "filters": [ { "fieldName": "event_type", "operator": "is", "values": ["Security"] } ], "timeFrame": "last.P1M" }
0 comments
Please sign in to leave a comment.