Debugging POST Body for HTTP REST Collector

Question

I'm getting 400 responses on a POST Body that I'm trying to pass through the state.latestTime within the POST body. I would like to know what is being posted.

I don't seem to be able to get a debug log out of my REST Collector to see what it is POSTing. What it's deriving from state.latestTime.

Anyone know where I can find this? The debug logs seem to only show the URL, not the POST Body

Ralph No. · Answer

For reference, this was answered in Slack.

Me, Myself and AI created a sum up of the Discussion:

Andrew Latham was trying to set up an HTTP REST Collector that includes the latest log collection time in the POST body, but he encountered 400 responses due to invalid JSON. The substitution of state.latestTime wasn't happening.

Stefan Laschitzki suggested using webhook.site to see the exact request being sent. Andrew found this helpful and realized the state substitution wasn't occurring. He confirmed the state was set correctly but still had issues.

Stefan provided a reference for state-tracking time, but Andrew was already following that guide. Eventually, Andrew resolved the issue by using backticks for the JSON string, ensuring state.latestTime was correctly substituted.

The working query Andrew shared is:

`{"query": "query GetIntelligence { getIntelligence(orderBy: EVENT_DATETIME_ASCENDING, limit: 100, filter: { eventDatetime: { GT: \\\"${state.latestTime}\\\"}}) {hasMoreResults cursor results { id ticketId generatedDatetime name eventDatetime severity description descriptionTagged relatedEmailDomains relatedActorEmails relatedTargetEmails relatedTenants service_tenant_data humanReadableDescription {plain tagged }}}}"}`

Sign up

Using your Cribl.Cloud account

Login to the community

Using your Cribl.Cloud account

Scanning file for viruses.

This file cannot be downloaded