Availability of APIs with aggregation capabilities


#1

Reveal(x) has an API, sc.Query(), that is used by the UI to display things like requested hostnames (DNS) and their counts. However, this API is not available to developers. Are there any plans to expose it? If not, is there a suggested method for obtaining this information. Another one is reclog.runQuery(). Both of these APIs are super useful, and the functionality is difficult to replicate without retrieving all records.

To give a concrete use case of what I am trying to accomplish programmatically: what are the top X hostnames that were requested over the last Y days across the enterprise?


#2

Not sure on the API query. But I know our team is just querying the metric. So top 5 DNS Query’s by name.


#3

We have a REST API that provides the functionality you’re looking for: /api/v1/metrics exposes the time-series information, and /api/v1/records/search can be used to send a record query. To find out how to get a specific metric from the REST API, find that metric in the Metric Catalog in Settings: At the bottom of the metric’s details you’ll find the arguments to pass to the REST API.

To get a key for that API, click on the user icon in the upper right of the main UI, then click “API Access”. You can then get a REST API key for your account, and can click through to the API Explorer to browse all the endpoints we have available.


#5

Here’s another example that is poorly described in the documentation. A records query with multiple rules:

{
        "filter": {
            "operator": "and",
            "rules": [
                {
                    "field": "qname",
                    "operand": "example.com",
                    "operator": "="
                },
                {
                    "field": "client",
                    "operand": "DEVICE_ID",
                    "operator": "!="
                }
            ]
        },
        "from": X
        "until": Y,
        "types": [
            "~dns_request"
        ]
    }
}

#6

Thanks for the feedback; that’s an area we’ll work on better documenting in an upcoming release.