This message originated from Cribl Community Slack.
Click here to view the original link.
Hi :wave:
Apologies if this has been solved, I haven't been able to find anything using Slack's search option.
The scenario is that we have a REST endpoint that we need to call to download a report with data, but in order to download the right report we need to first query a slightly different endpoint to get the last report ID. :sigh:
Cribl's REST can do OAuth -> API call just fine, but then I need to store the returned value in a global variable so that the second REST call can look it up and use it.
Not pretty, it's what we have.
So the question is, is there an internal call that can perform an update of a global variable, or a REST/HTTP call that I can set as the destination to do this? The CoPilot AI says I can use /lib/vars/ endpoint to do this, however I can't find that endpoint in the API docs.
The second problem I've run into is that there doesn't appear to be a REST destination that I can use, the closes being Cribl HTTP.
So if the API endpoint is there and works it looks like I'd have to use an external program to set the global variable before running the source collector in Cribl.
:thankyou:
Solved
Cribl REST API Issues: Unable To Update Global Variable; Missing /lib/vars/ Endpoint Documentation
Best answer by Jon Rust
I recommend to start your work in our REST Collector Repo so you don't re-invent the wheel
The result of the auth step is stored in a token you can reference in both the discover and collect steps. That's exactly how it works.
:facepalm: So I can use the Discover step to pull the first part of the data and use those returned values in the Collect section for the actual data.
I feel like a bit of a fool if the answer is yes. It's right in front of me staring me in the face the whole week in that case.
It's not the most intuitive interface. (We're working on it!)
But yes, you have the idea. There are really 3 steps:
1. auth
2. discover
3. collect
Auth: Get the auth token, reference it in subsequent calls.
Discover: get a list of things to do -- targets, entities, whatever
Collect: for that list fire off parallel jobs to collect each one
Thank you very much Jon. :bow: I'll try it out tomorrow and let you know how it turns out.
I've been stuck in creating REST calls just using the Collect method, so never bothered with the Discover aspect of it.
The good news is that the Discover works as expected. I'm just having some trouble referencing the results from the Discover section in the Collect section.
If I hardcode a GUID value then the lookup works, but if I use a variable then I get a HTTP 404.
The results from Discover has a resources [] value that I need to use and it does show up in the Discover results:
e.g.
{
"meta": {
"query_time": 0.575422675,
"pagination": {
"offset": 0,
"limit": 1,
"total": 10000
},
"powered_by": "reports"
},
"resources": [
"019ce75fe9e173a28563e6b5bb7f4eca"
],
"errors": [],
"guid": "15c3e552-464d-484f-adf8-8a4a5f64a406"
}${resources[0]} in the Collect section parameters field
This doesn't appear to work as the raw result returned is just an empty array []` . If i run the ID through the swagger web UI then there is data for the report.:facepalm: I might have solved it. I disabled the time filter under the advanced settings.
I'd like to say thanks to the creators for the great documentation that Cribl has put together as it provide the answer after a bit of searching.
Aha! The time filter is a common gotcha. Usually (usually) it's a sign the Event Breaker is not picking up time correctly from the returned data. Grab a sample of the data as it comes off the wire and set-up your EB as next step
:+1: Thanks for the assist Jon. I should be able to manage it from here as I have data to work with now. :thankyou:
Rockin. Have a great weekend!
Sign up
Already have an account? Login
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.