{ "info": { "_postman_id": "bba80f10-6f77-46c4-8f32-cbaba7ce97de", "name": "Splunk search POC", "description": "# Purpose\nTo demonstrate the API calls needed to run a saved Splunk search and retrieve the output in various forms \n\n# Collection flow\n\n* Establish Authentication\n* Dispatch the search job\n* (wait 10 Sec) check job's status, repeat this wait and check until the job is completed\n* Collect the output in CSV format\n* Collect the output in JSON format", "schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json" }, "item": [ { "name": "1 - Get token", "event": [ { "listen": "test", "script": { "id": "d5f47e3c-1a64-43c7-a77d-f8ae21377b0d", "exec": [ "pm.test(\"Session token received\", function () {", " pm.expect(pm.response.text()).to.include(\"sessionKey\");", "});", "", "var jsonObject = xml2Json(responseBody)", "console.log(\"JSON response:\", jsonObject)", "let this_sessionKey = jsonObject.response.sessionKey;", "console.log(\"this_sessionKey:\", this_sessionKey)", "pm.environment.set(\"this_sessionKey\", jsonObject.response.sessionKey);", "", "pm.test(\"Session token obtained\", function() {", " pm.expect(jsonObject.response.sessionKey)", "});", "", "", "", "" ], "type": "text/javascript" } } ], "request": { "auth": { "type": "noauth" }, "method": "POST", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "username", "value": "splunkapiuser", "type": "text" }, { "key": "password", "value": "splunkapiuser", "type": "text" } ] }, "url": { "raw": "{{RS}}{{logincall}}?", "host": [ "{{RS}}{{logincall}}" ], "query": [ { "key": "output_mode", "value": "json", "disabled": true } ] }, "description": "The call returns a job id (sid) that is used in subsequent calls to get the job status and retrieve the output\n\ntoken in header dones not conform to nay token passing standard implemented in postman so need a header \nAuthorization=Splunk sid" }, "response": [] }, { "name": "2 - Save Search", "event": [ { "listen": "test", "script": { "id": "a8480d89-b5db-471e-9127-d0a84a0abe4e", "exec": [ "pm.test(\"search dispatched\", function () {", " pm.expect(pm.response.text()).to.include(\"sid\");", "});", "", "let jsondata = pm.response.json();", "console.log(\"JSON response:\", jsondata)", "let this_sid = jsondata.sid;", "console.log(\"this_sid:\", this_sid)", "pm.environment.set(\"this_sid\", jsondata.sid);" ], "type": "text/javascript" } }, { "listen": "prerequest", "script": { "id": "fd6c3235-4dcb-4ad9-91c4-a6db31be1ccf", "exec": [ "//var this_id =\"SUB_VAL=07891012133 OR SUB_VAL=07891012134 OR CLIENT=10.61.42.224\";", "//var encoded = encodeURIComponent(this_id);", "//postman.setEnvironmentVariable(\"args.id\", encoded);" ], "type": "text/javascript" } } ], "request": { "auth": { "type": "noauth" }, "method": "POST", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded", "disabled": true }, { "key": "Authorization", "value": "Splunk {{this_sessionKey}}" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "output_mode", "value": "json", "type": "text" }, { "key": "search", "value": "sourcetype=ib:dhcp:lease_history index=ib_dhcp_lease_history $args.lease_ip_str$ $args.host_name_str$ $args.mac_duid_str$ dhcpd OR dhcpdv6 r-l-e \n| eval Protocol=if(PROTO==\"dhcpdv6\",\"IPV6\",\"IPV4\") \n| eval LEASE_START=strftime(START_EPOCH, \"%Y-%m-%d %H:%M:%S\") \n| eval LEASE_END=strftime(END_EPOCH, \"%Y-%m-%d %H:%M:%S\") \n| eval dummy_epoch=\"\" \n| eval __COMMENT=\"The lease_time.latest and lease_time.latest are the date format in epoch number. For example if timestamp is 01-01-1971 01.01.01, the epoch number is 8 digit number. So taken lease_time length with >=8.\" \n| eval min_lengh_epoch=8 \n| eval earliest=if(len(\"0\") <= min_lengh_epoch, dummy_epoch , \"0\") \n| eval latest=if(len(\"\") <= min_lengh_epoch, dummy_epoch , \"\") \n| eval earliest=if(len(\"0\") == 0, START_EPOCH,\"0\") \n| eval latest=if(len(\"\") == 0, END_EPOCH,\"\") \n| where ((earliest <= START_EPOCH) AND (START_EPOCH <= latest)) OR ((earliest <= END_EPOCH) AND (END_EPOCH <= latest)) \n| eval FINGER_PRINT=if(isnull(OS_NUMBER) OR OS_NUMBER==0,FP,SFP) \n| eval resolved_names_or_ips=coalesce(ms_resolved_names,ms_resolved_ips) \n| eval resolved_names_or_ips=if(isnull(resolved_names_or_ips),MS_SERVER,resolved_names_or_ips) \n| eval host = if (isnull(MS_SERVER),host,NULL) \n| eval MEMBER_IP = if (isnull(MS_SERVER),MEMBER_IP,NULL) \n| eval DEVICE_CLASS=if(isnull(DEVICE_CLASS), \"Modified or Deleted\", DEVICE_CLASS) \n| rename host as \"Member\", ACTION as \"Action\", LEASE_IP as \"Lease IP\", MAC_DUID as \"MAC/DUID\", MEMBER_IP as \"Member IP\", OPTION12HOST as \"Host Name\", LEASE_START as \"Lease Start\", LEASE_END as \"Lease End\", FINGER_PRINT as \"Fingerprint\", MS_SERVER as \"Microsoft Server IP\", ms_resolved_names as \"Microsoft Server\" \n| convert ctime(_time) as Time \n| table Time, Member, \"Member IP\", Protocol, Action, \"Lease IP\", \"MAC/DUID\", \"Host Name\", \"Lease Start\", \"Lease End\", \"Fingerprint\", \"Microsoft Server\", \"Microsoft Server IP\"", "type": "text" }, { "key": "name", "value": "dhcpleasehistory_search", "type": "text" } ] }, "url": { "raw": "{{RS}}{{savedsearches}}?", "host": [ "{{RS}}{{savedsearches}}" ], "query": [ { "key": "", "value": null, "disabled": true } ] }, "description": "This call dispatches a saved search on the reporting server. the search is one read_only has already saved. The search has token variables that are given values. \r\n\r\nThe call returns a job id (sid) that is used in subsequent calls to get the job status and retrieve the output" }, "response": [ { "name": "10 Save Search", "originalRequest": { "method": "POST", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded", "disabled": true }, { "key": "Authorization", "value": "Splunk {{this_sessionKey}}" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "name", "value": "test_ new_search", "type": "text" }, { "key": "search", "value": "search \" source=\"ib:dns:query:top_rpz_hit\" | stats COUNT by CLIENT \"", "type": "text" } ] }, "url": { "raw": "{{RS}}{{savedsearches}}?", "host": [ "{{RS}}{{savedsearches}}" ], "query": [ { "key": "", "value": null, "disabled": true } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "plain", "header": [ { "key": "Connection", "value": "Keep-Alive", "name": "Connection", "description": "Options that are desired for the connection" }, { "key": "Content-Type", "value": "text/plain", "name": "Content-Type", "description": "The mime type of this content" }, { "key": "Date", "value": "Mon, 14 May 2018 21:01:32 GMT", "name": "Date", "description": "The date and time that the message was sent" }, { "key": "Keep-Alive", "value": "timeout=100", "name": "Keep-Alive", "description": "Custom header" }, { "key": "Transfer-Encoding", "value": "chunked", "name": "Transfer-Encoding", "description": "The form of encoding used to safely transfer the entity to the user. Currently defined methods are: chunked, compress, deflate, gzip, identity." }, { "key": "WWW-Authenticate", "value": "Basic realm=\"InfoBlox REPORTING Platform\"", "name": "WWW-Authenticate", "description": "Indicates the authentication scheme that should be used to access the requested entity." } ], "cookie": [], "body": "\n\n\n\n savedsearch\n https://localhost:8089/services/saved/searches\n 2018-05-14T23:01:32+02:00\n \n \n Splunk\n \n \n \n \n 1\n 30\n 0\n \n \n test_ new_search\n https://localhost:8089/servicesNS/read_only/search/saved/searches/test_%20new_search\n 2018-05-14T23:01:32+02:00\n \n \n read_only\n \n \n \n \n \n \n \n \n \n \n \n \n 0\n \n \n \n \n \n html\n Send an email notification to specified recipients\n If you believe you've received this email in error, please see your Splunk administrator.\n\nsplunk > the engine for machine data\n table\n splunk\n \n mod_alert_icon_email.png\n 0\n 0\n 0\n 0\n 0\n 0\n Send email\n localhost\n 10000\n 5m\n \n \n title\n 1\n logo\n timestamp,pagination\n description\n 1\n 1\n pdf_logo_image.png\n \n \n 3\n gb cns jp kor\n $name$-$time:%Y-%m-%d$\n 1\n portrait\n letter\n 0\n 0\n 0\n Splunk Alert: $name$\n Splunk Alert: $name$\n Splunk Report: $name$\n \n 1\n 86400\n 0\n 0\n 0\n 1\n 0\n copyresults dest=\"$action.populate_lookup.dest$\" sid=\"$search_id$\"\n \n \n 10000\n 5m\n 0\n 120\n 0\n createrss \"path=$name$.xml\" \"name=$name$\" \"link=$results.url$\" \"descr=Alert trigger: $name$, results.count=$results.count$ \" \"count=30\" \"graceful=$graceful{default=1}$\" maxtime=\"$action.rss.maxtime{default=1m}$\"\n \n 10000\n 1m\n 0\n 86400\n 0\n runshellscript \"$action.script.filename$\" \"$results.count$\" \"$search$\" \"$search$\" \"$name$\" \"Saved Search [$name$] $counttype$($results.count$)\" \"$results.url$\" \"$deprecated_arg$\" \"$search_id$\" \"$results.file$\" maxtime=\"$action.script.maxtime{default=5m}$\"\n Invoke a custom script\n \n \n mod_alert_icon_script.png\n Run a script\n 10000\n 5m\n 1\n 600\n 0\n summary\n \n \n 1\n 10000\n 5m\n 0\n 120\n 0\n sendalert $action_name$ results_file=\"$results.file$\" results_link=\"$results.url$\"\n Generic HTTP POST to a specified URL\n \n webhook.png\n 1\n Webhook\n 10000\n 5m\n Splunk/$server.guid$\n json\n 0\n 10p\n \n 1\n 24h\n 3\n \n \n \n 0\n \n \n \n always\n 0\n \n */10 * * * *\n \n \n %FT%T.%Q%:z\n 60\n 1\n 2\n 0.1\n 52428800\n 3600\n 24h\n \n \n \n 0\n 0\n 0\n 0\n \n \n \n \n \n 1\n 500000\n 0\n 10\n 0\n 1\n %FT%T.%Q%:z\n 2p\n owner\n [\"host\",\"source\",\"sourcetype\"]\n full\n 1\n 5\n full\n 0\n 1\n 1\n list\n 1\n 0\n 1\n events\n smart\n 0.8\n 1\n events\n compact\n linear\n cell\n none\n 0\n 1\n 1\n 300\n ellipsisNone\n 0\n \n \n \n \n visible\n \n visible\n \n visible\n \n \n linear\n \n \n linear\n 0\n \n \n inherit\n column\n 50\n 10\n area\n gaps\n \n \n none\n 0.01\n default\n shiny\n all\n \n 0\n 0\n ellipsisMiddle\n right\n 400\n 5\n auto\n 0xDB5800\n 0x2F25BA\n 0\n 0.75\n 1\n 100\n all\n (0,0)\n 1\n 0\n 2\n 50\n 10\n 0.8\n 1\n 7\n 0\n 1\n \n marker\n 1\n \n \n value\n none\n 0\n \n \n 1\n 1\n standard\n absolute\n \n \n 0\n 1\n 100\n charting\n \n \n \n search\n 0\n 1\n 0\n 0\n 0\n 1\n 1\n read_only\n \n 1\n user\n \n \n \n \n \n \n action.email.auth_password\n action.email.auth_username\n action.email.bcc\n action.email.cc\n action.email.command\n action.email.content_type\n action.email.description\n action.email.footer.text\n action.email.format\n action.email.from\n action.email.hostname\n action.email.icon_path\n action.email.include.results_link\n action.email.include.search\n action.email.include.trigger\n action.email.include.trigger_time\n action.email.include.view_link\n action.email.inline\n action.email.label\n action.email.mailserver\n action.email.maxresults\n action.email.maxtime\n action.email.message.alert\n action.email.message.report\n action.email.pdf.footer_center\n action.email.pdf.footer_enabled\n action.email.pdf.footer_left\n action.email.pdf.footer_right\n action.email.pdf.header_center\n action.email.pdf.header_enabled\n action.email.pdf.html_image_rendering\n action.email.pdf.logo_path\n action.email.pdfview\n action.email.preprocess_results\n action.email.priority\n action.email.reportCIDFontList\n action.email.reportFileName\n action.email.reportIncludeSplunkLogo\n action.email.reportPaperOrientation\n action.email.reportPaperSize\n action.email.sendcsv\n action.email.sendpdf\n action.email.sendresults\n action.email.subject\n action.email.subject.alert\n action.email.subject.report\n action.email.to\n action.email.track_alert\n action.email.ttl\n action.email.useNSSubject\n action.email.use_ssl\n action.email.use_tls\n action.email.width_sort_columns\n action.populate_lookup.command\n action.populate_lookup.dest\n action.populate_lookup.hostname\n action.populate_lookup.maxresults\n action.populate_lookup.maxtime\n action.populate_lookup.track_alert\n action.populate_lookup.ttl\n action.rss.command\n action.rss.hostname\n action.rss.maxresults\n action.rss.maxtime\n action.rss.track_alert\n action.rss.ttl\n action.script.command\n action.script.description\n action.script.filename\n action.script.hostname\n action.script.icon_path\n action.script.label\n action.script.maxresults\n action.script.maxtime\n action.script.track_alert\n action.script.ttl\n action.summary_index._name\n action.summary_index.command\n action.summary_index.hostname\n action.summary_index.inline\n action.summary_index.maxresults\n action.summary_index.maxtime\n action.summary_index.track_alert\n action.summary_index.ttl\n action.webhook.command\n action.webhook.description\n action.webhook.hostname\n action.webhook.icon_path\n action.webhook.is_custom\n action.webhook.label\n action.webhook.maxresults\n action.webhook.maxtime\n action.webhook.param.user_agent\n action.webhook.payload_format\n action.webhook.track_alert\n action.webhook.ttl\n actions\n alert.digest_mode\n alert.expires\n alert.severity\n alert.suppress\n alert.suppress.fields\n alert.suppress.period\n alert.track\n alert_comparator\n alert_condition\n alert_threshold\n alert_type\n auto_summarize\n auto_summarize.command\n auto_summarize.cron_schedule\n auto_summarize.dispatch.earliest_time\n auto_summarize.dispatch.latest_time\n auto_summarize.dispatch.time_format\n auto_summarize.dispatch.ttl\n auto_summarize.max_concurrent\n auto_summarize.max_disabled_buckets\n auto_summarize.max_summary_ratio\n auto_summarize.max_summary_size\n auto_summarize.max_time\n auto_summarize.suspend_period\n auto_summarize.timespan\n cron_schedule\n description\n disabled\n dispatch.auto_cancel\n dispatch.auto_pause\n dispatch.buckets\n dispatch.earliest_time\n dispatch.index_earliest\n dispatch.index_latest\n dispatch.indexedRealtime\n dispatch.latest_time\n dispatch.lookups\n dispatch.max_count\n dispatch.max_time\n dispatch.reduce_freq\n dispatch.rt_backfill\n dispatch.spawn_process\n dispatch.time_format\n dispatch.ttl\n display.events.fields\n display.events.list.drilldown\n display.events.list.wrap\n display.events.maxLines\n display.events.raw.drilldown\n display.events.rowNumbers\n display.events.table.drilldown\n display.events.table.wrap\n display.events.type\n display.general.enablePreview\n display.general.migratedFromViewState\n display.general.timeRangePicker.show\n display.general.type\n display.page.search.mode\n display.page.search.patterns.sensitivity\n display.page.search.showFields\n display.page.search.tab\n display.page.search.timeline.format\n display.page.search.timeline.scale\n display.statistics.drilldown\n display.statistics.overlay\n display.statistics.rowNumbers\n display.statistics.show\n display.statistics.wrap\n display.visualizations.chartHeight\n display.visualizations.charting.axisLabelsX.majorLabelStyle.overflowMode\n display.visualizations.charting.axisLabelsX.majorLabelStyle.rotation\n display.visualizations.charting.axisLabelsX.majorUnit\n display.visualizations.charting.axisLabelsY.majorUnit\n display.visualizations.charting.axisLabelsY2.majorUnit\n display.visualizations.charting.axisTitleX.text\n display.visualizations.charting.axisTitleX.visibility\n display.visualizations.charting.axisTitleY.text\n display.visualizations.charting.axisTitleY.visibility\n display.visualizations.charting.axisTitleY2.text\n display.visualizations.charting.axisTitleY2.visibility\n display.visualizations.charting.axisX.maximumNumber\n display.visualizations.charting.axisX.minimumNumber\n display.visualizations.charting.axisX.scale\n display.visualizations.charting.axisY.maximumNumber\n display.visualizations.charting.axisY.minimumNumber\n display.visualizations.charting.axisY.scale\n display.visualizations.charting.axisY2.enabled\n display.visualizations.charting.axisY2.maximumNumber\n display.visualizations.charting.axisY2.minimumNumber\n display.visualizations.charting.axisY2.scale\n display.visualizations.charting.chart\n display.visualizations.charting.chart.bubbleMaximumSize\n display.visualizations.charting.chart.bubbleMinimumSize\n display.visualizations.charting.chart.bubbleSizeBy\n display.visualizations.charting.chart.nullValueMode\n display.visualizations.charting.chart.overlayFields\n display.visualizations.charting.chart.rangeValues\n display.visualizations.charting.chart.showDataLabels\n display.visualizations.charting.chart.sliceCollapsingThreshold\n display.visualizations.charting.chart.stackMode\n display.visualizations.charting.chart.style\n display.visualizations.charting.drilldown\n display.visualizations.charting.gaugeColors\n display.visualizations.charting.layout.splitSeries\n display.visualizations.charting.layout.splitSeries.allowIndependentYRanges\n display.visualizations.charting.legend.labelStyle.overflowMode\n display.visualizations.charting.legend.placement\n display.visualizations.mapHeight\n display.visualizations.mapping.choroplethLayer.colorBins\n display.visualizations.mapping.choroplethLayer.colorMode\n display.visualizations.mapping.choroplethLayer.maximumColor\n display.visualizations.mapping.choroplethLayer.minimumColor\n display.visualizations.mapping.choroplethLayer.neutralPoint\n display.visualizations.mapping.choroplethLayer.shapeOpacity\n display.visualizations.mapping.choroplethLayer.showBorder\n display.visualizations.mapping.data.maxClusters\n display.visualizations.mapping.drilldown\n display.visualizations.mapping.map.center\n display.visualizations.mapping.map.panning\n display.visualizations.mapping.map.scrollZoom\n display.visualizations.mapping.map.zoom\n display.visualizations.mapping.markerLayer.markerMaxSize\n display.visualizations.mapping.markerLayer.markerMinSize\n display.visualizations.mapping.markerLayer.markerOpacity\n display.visualizations.mapping.showTiles\n display.visualizations.mapping.tileLayer.maxZoom\n display.visualizations.mapping.tileLayer.minZoom\n display.visualizations.mapping.tileLayer.tileOpacity\n display.visualizations.mapping.tileLayer.url\n display.visualizations.mapping.type\n display.visualizations.show\n display.visualizations.singlevalue.afterLabel\n display.visualizations.singlevalue.beforeLabel\n display.visualizations.singlevalue.colorBy\n display.visualizations.singlevalue.colorMode\n display.visualizations.singlevalue.numberPrecision\n display.visualizations.singlevalue.rangeColors\n display.visualizations.singlevalue.rangeValues\n display.visualizations.singlevalue.showSparkline\n display.visualizations.singlevalue.showTrendIndicator\n display.visualizations.singlevalue.trendColorInterpretation\n display.visualizations.singlevalue.trendDisplayMode\n display.visualizations.singlevalue.trendInterval\n display.visualizations.singlevalue.underLabel\n display.visualizations.singlevalue.useColors\n display.visualizations.singlevalue.useThousandSeparators\n display.visualizations.singlevalueHeight\n display.visualizations.type\n displayview\n is_scheduled\n is_visible\n max_concurrent\n next_scheduled_time\n qualifiedSearch\n realtime_schedule\n request.ui_dispatch_app\n request.ui_dispatch_view\n restart_on_searchpeer_add\n run_n_times\n run_on_startup\n schedule_window\n search\n vsid\n \n \n \n \n name\n \n \n \n \n action\\..*\n args\\..*\n dispatch\\..*\n \n \n \n \n 0\n 0\n 1\n 1\n \n \n 1\n \n \n 1\n 0\n 0\n 0\n \n \n \n \n \n\n" } ] }, { "name": "3 - Saved Search Synchronous", "event": [ { "listen": "test", "script": { "id": "15102ebc-8159-4b9c-8d33-74e156713f91", "exec": [ "pm.test(\"search dispatched\", function () {", " pm.expect(pm.response.text()).to.include(\"sid\");", "});", "", "let jsondata = pm.response.json();", "console.log(\"JSON response:\", jsondata)", "let this_sid = jsondata.sid;", "console.log(\"this_sid:\", this_sid)", "pm.environment.set(\"this_sid\", jsondata.sid);" ], "type": "text/javascript" } }, { "listen": "prerequest", "script": { "id": "fd6c3235-4dcb-4ad9-91c4-a6db31be1ccf", "exec": [ "//var this_id =\"SUB_VAL=07891012133 OR SUB_VAL=07891012134 OR CLIENT=10.61.42.224\";", "//var encoded = encodeURIComponent(this_id);", "//postman.setEnvironmentVariable(\"args.id\", encoded);" ], "type": "text/javascript" } } ], "request": { "auth": { "type": "noauth" }, "method": "POST", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" }, { "key": "Authorization", "value": "Splunk {{this_sessionKey}}" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "output_mode", "value": "json", "type": "text" }, { "key": "args.lease_time.earliest", "value": "1546433161", "type": "text" }, { "key": "args.lease_time.latest", "value": "1547037974", "type": "text" }, { "key": "args.lease_ip_str", "value": "10.220.92.7", "type": "text" }, { "key": "args.host_name_str", "value": "*", "type": "text" }, { "key": "args.mac_duid_str", "value": "*", "type": "text" }, { "key": "dispatch.earliest_time", "value": "1546433161", "type": "text" }, { "key": "dispatch.latest_time\t", "value": "1547037974", "type": "text" } ] }, "url": { "raw": "{{RS}}{{savedsearches}}/dhcpleasehistory_search/dispatch", "host": [ "{{RS}}{{savedsearches}}" ], "path": [ "dhcpleasehistory_search", "dispatch" ], "query": [ { "key": "output_mode", "value": "csv", "disabled": true }, { "key": "", "value": null, "disabled": true } ] }, "description": "This call submits a synchronous search. It waits for the output. The search is one that read_only has saved. this search has token variables that are given values in the search string." }, "response": [] }, { "name": "4 - get job output JSON", "event": [ { "listen": "test", "script": { "id": "f4f74742-6e03-4d46-a186-76d04162b04b", "exec": [ "pm.test(\"JSON output received\", function() {", " pm.response.to.have.body() ", " pm.response.to.have.jsonBody()", " if (pm.response.to.have.body() ) { ", " jsondata = pm.response.json();", " ", "}", "});", "", "" ], "type": "text/javascript" } } ], "request": { "auth": { "type": "noauth" }, "method": "GET", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" }, { "key": "Authorization", "value": "Splunk {{this_sessionKey}}" } ], "body": { "mode": "raw", "raw": "" }, "url": { "raw": "{{RS}}{{search}}{{this_sid}}/results?output_mode=json", "host": [ "{{RS}}{{search}}{{this_sid}}" ], "path": [ "results" ], "query": [ { "key": "output_mode", "value": "json" } ] }, "description": "uses passed sid to get search output." }, "response": [ { "name": "get job output JSON", "originalRequest": { "method": "GET", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" }, { "key": "Authorization", "value": "Splunk {{this_sessionKey}}" } ], "body": { "mode": "raw", "raw": "" }, "url": { "raw": "{{RS}}{{search}}{{this_sid}}/results?output_mode=json", "host": [ "{{RS}}{{search}}{{this_sid}}" ], "path": [ "results" ], "query": [ { "key": "output_mode", "value": "json" } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "json", "header": [ { "key": "Connection", "value": "Keep-Alive", "name": "Connection", "description": "Options that are desired for the connection" }, { "key": "Content-Type", "value": "text/plain", "name": "Content-Type", "description": "The mime type of this content" }, { "key": "Date", "value": "Sat, 21 Apr 2018 18:02:37 GMT", "name": "Date", "description": "The date and time that the message was sent" }, { "key": "Keep-Alive", "value": "timeout=100", "name": "Keep-Alive", "description": "Custom header" }, { "key": "Transfer-Encoding", "value": "chunked", "name": "Transfer-Encoding", "description": "The form of encoding used to safely transfer the entity to the user. Currently defined methods are: chunked, compress, deflate, gzip, identity." }, { "key": "WWW-Authenticate", "value": "Basic realm=\"InfoBlox REPORTING Platform\"", "name": "WWW-Authenticate", "description": "Indicates the authentication scheme that should be used to access the requested entity." } ], "cookie": [], "body": "{\"preview\":false,\"init_offset\":0,\"messages\":[{\"type\":\"INFO\",\"text\":\"Your timerange was substituted based on your search string\"}],\"fields\":[{\"name\":\"Time\"},{\"name\":\"Subscriber_ID\"},{\"name\":\"Local_ID\"},{\"name\":\"Guest\"},{\"name\":\"CLIENT\"},{\"name\":\"threat_hit\"},{\"name\":\"QCOUNT\"},{\"name\":\"MITIGATION_ACTION\"},{\"name\":\"RPZ_SEVERITY\"},{\"name\":\"RPZ_QNAME\"},{\"name\":\"threat_name\"},{\"name\":\"public_description\"}],\"results\":[{\"Time\":\"21/04/2018 12:02 AM\",\"Subscriber_ID\":\"07891012134\",\"Local_ID\":\"N/A\",\"Guest\":\"No\",\"CLIENT\":\"10.61.42.222\",\"threat_hit\":\"211.22.125.10\\\\32\",\"QCOUNT\":\"1\",\"MITIGATION_ACTION\":\"Block (No Such Domain)\",\"RPZ_SEVERITY\":\"MAJOR\",\"RPZ_QNAME\":\"32.10.125.22.211.rpz-ip.antimalware-ip.rpz.infoblox.local\",\"threat_name\":\"MalwareDownload_Emotet\",\"public_description\":\"Emotet is a banking Trojan and credential stealer that is commonly spread through spam emails. The target receives an email and is prompted to follow a link to download a Word document. The Word document then downloads the payload and executes it. Recent version of Emotet have gained the ability to spread through internal networks with worm-like behavior rather than through spam emails.\"},{\"Time\":\"21/04/2018 5:10 PM\",\"Subscriber_ID\":\"07891012135\",\"Local_ID\":\"N/A\",\"Guest\":\"No\",\"CLIENT\":\"10.61.42.223\",\"threat_hit\":\"62.116.130.8\\\\32\",\"QCOUNT\":\"2\",\"MITIGATION_ACTION\":\"Block (No Such Domain)\",\"RPZ_SEVERITY\":\"MAJOR\",\"RPZ_QNAME\":\"32.8.130.116.62.rpz-ip.antimalware-ip.rpz.infoblox.local\",\"threat_name\":\"MalwareC2_Pykspa\",\"public_description\":\"Pykspa also called Pykse, Skyper or SkypeBot is a worm which spreads via Skype. Once a system is infected it changes settings and terminates security related processes, then send instant messages to Skype contacts containing links to propagate the worm.\"},{\"Time\":\"21/04/2018 5:04 PM\",\"Subscriber_ID\":\"07891012135\",\"Local_ID\":\"N/A\",\"Guest\":\"No\",\"CLIENT\":\"10.61.42.223\",\"threat_hit\":\"zxxx7.club\",\"QCOUNT\":\"1\",\"MITIGATION_ACTION\":\"Substitute (Domain Name)\",\"RPZ_SEVERITY\":\"MAJOR\",\"RPZ_QNAME\":\"zxxx7.club.base.rpz.infoblox.local\",\"threat_name\":\"APT_MalwareC2\",\"public_description\":\"Machines infected with malware may reach out to remote servers to deliver data or receive additional instruction. C&C servers associated with advanced persistent threats (APTs) indicate those servers are related to an ongoing motivated attack against an entity and are relaying information to infected machines of the targeting organization.\"}], \"highlighted\":{}}" }, { "name": "get job output JSON", "originalRequest": { "method": "GET", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" } ], "body": { "mode": "raw", "raw": "" }, "url": { "raw": "{{RS}}{{search}}{{this_sid}}/results?output_mode=json", "host": [ "{{RS}}{{search}}{{this_sid}}" ], "path": [ "results" ], "query": [ { "key": "output_mode", "value": "json" } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "plain", "header": [ { "key": "Connection", "value": "Keep-Alive", "name": "Connection", "description": "Options that are desired for the connection" }, { "key": "Content-Type", "value": "text/plain", "name": "Content-Type", "description": "The mime type of this content" }, { "key": "Date", "value": "Sun, 15 Apr 2018 04:41:46 GMT", "name": "Date", "description": "The date and time that the message was sent" }, { "key": "Keep-Alive", "value": "timeout=100", "name": "Keep-Alive", "description": "Custom header" }, { "key": "Transfer-Encoding", "value": "chunked", "name": "Transfer-Encoding", "description": "The form of encoding used to safely transfer the entity to the user. Currently defined methods are: chunked, compress, deflate, gzip, identity." } ], "cookie": [], "body": "{\"preview\":false,\"init_offset\":0,\"messages\":[],\"fields\":[{\"name\":\"Subscriber ID Value\"},{\"name\":\"Subscriber ID Type\"},{\"name\":\"Client ID\"},{\"name\":\"Local ID\"},{\"name\":\"Device type\"},{\"name\":\"Guest\"},{\"name\":\"Violation Reason\"},{\"name\":\"Mitigation Action\"},{\"name\":\"Malicious Domains\"},{\"name\":\"RPZ Severity\"},{\"name\":\"RPZ Entries\"},{\"name\":\"Total Subscriber Hits\"},{\"name\":\"IP Space Discriminator\"}],\"results\":[{\"Subscriber ID Value\":\"N/A\",\"Subscriber ID Type\":\"N/A\",\"Client ID\":\"10.36.6.80\",\"Local ID\":\"N/A\",\"Device type\":\"N/A\",\"Guest\":\"No\",\"Violation Reason\":\"RPZ:rpz10.com\",\"Mitigation Action\":\"Block (No Such Domain)\",\"Malicious Domains\":\"nxd10.com\",\"RPZ Severity\":\"MAJOR\",\"RPZ Entries\":\"nxd10.com.rpz10.com\",\"Total Subscriber Hits\":\"610363\",\"IP Space Discriminator\":\"N/A\"},{\"Subscriber ID Value\":\"N/A\",\"Subscriber ID Type\":\"N/A\",\"Client ID\":\"10.36.6.80\",\"Local ID\":\"N/A\",\"Device type\":\"N/A\",\"Guest\":\"No\",\"Violation Reason\":\"RPZ:rpz8.com\",\"Mitigation Action\":\"Block (No Such Domain)\",\"Malicious Domains\":\"nxd8.com\",\"RPZ Severity\":\"MAJOR\",\"RPZ Entries\":\"nxd8.com.rpz8.com\",\"Total Subscriber Hits\":\"610363\",\"IP Space Discriminator\":\"N/A\"},{\"Subscriber ID Value\":\"N/A\",\"Subscriber ID Type\":\"N/A\",\"Client ID\":\"10.36.6.80\",\"Local ID\":\"N/A\",\"Device type\":\"N/A\",\"Violation Reason\":\"N/A\",\"Mitigation Action\":\"Substitute (A)\",\"Malicious Domains\":\"nxd_rule1.com\",\"RPZ Severity\":\"MAJOR\",\"RPZ Entries\":\"nxd_rule1.com.rpz10.com\",\"Total Subscriber Hits\":\"610363\",\"IP Space Discriminator\":\"N/A\"},{\"Subscriber ID Value\":\"13\",\"Subscriber ID Type\":\"Class\",\"Client ID\":\"10.36.6.80\",\"Local ID\":\"N/A\",\"Device type\":\"N/A\",\"Guest\":\"No\",\"Violation Reason\":\"RPZ:rpz9.com\",\"Mitigation Action\":\"Block (No Such Domain)\",\"Malicious Domains\":\"nxd9.com\",\"RPZ Severity\":\"MAJOR\",\"RPZ Entries\":\"nxd9.com.rpz9.com\",\"Total Subscriber Hits\":\"12\",\"IP Space Discriminator\":\"N/A\"},{\"Subscriber ID Value\":\"13\",\"Subscriber ID Type\":\"Class\",\"Client ID\":\"10.36.6.80\",\"Local ID\":\"N/A\",\"Device type\":\"N/A\",\"Guest\":\"No\",\"Violation Reason\":\"Pornography\",\"Mitigation Action\":\"Substitute (Domain Name)\",\"Malicious Domains\":\"nxd9.com\",\"RPZ Severity\":\"MAJOR\",\"RPZ Entries\":\"site1-alias-blocking.parental_control\",\"Total Subscriber Hits\":\"12\",\"IP Space Discriminator\":\"N/A\"},{\"Subscriber ID Value\":\"13\",\"Subscriber ID Type\":\"Class\",\"Client ID\":\"10.36.6.80\",\"Local ID\":\"N/A\",\"Device type\":\"N/A\",\"Guest\":\"No\",\"Violation Reason\":\"Pornography\",\"Mitigation Action\":\"Substitute (Domain Name)\",\"Malicious Domains\":\"playboy.com\",\"RPZ Severity\":\"MAJOR\",\"RPZ Entries\":\"site1-alias-blocking.parental_control\",\"Total Subscriber Hits\":\"12\",\"IP Space Discriminator\":\"N/A\"},{\"Subscriber ID Value\":\"9956182386\",\"Subscriber ID Type\":\"Calling-Station-Id\",\"Client ID\":\"10.36.6.80\",\"Local ID\":\"N/A\",\"Device type\":\"N/A\",\"Guest\":\"No\",\"Violation Reason\":\"RPZ:rpz10.com\",\"Mitigation Action\":\"Block (No Such Domain)\",\"Malicious Domains\":\"nxd10.com\",\"RPZ Severity\":\"MAJOR\",\"RPZ Entries\":\"nxd10.com.rpz10.com\",\"Total Subscriber Hits\":\"4\",\"IP Space Discriminator\":\"N/A\"},{\"Subscriber ID Value\":\"9956182386\",\"Subscriber ID Type\":\"Calling-Station-Id\",\"Client ID\":\"10.36.6.80\",\"Local ID\":\"N/A\",\"Device type\":\"N/A\",\"Violation Reason\":\"N/A\",\"Mitigation Action\":\"Block (No Such Domain)\",\"Malicious Domains\":\"xdn1.com\",\"RPZ Severity\":\"MAJOR\",\"RPZ Entries\":\"xdn1.com.cc.com\",\"Total Subscriber Hits\":\"4\",\"IP Space Discriminator\":\"N/A\"},{\"Subscriber ID Value\":\"9956182386\",\"Subscriber ID Type\":\"Calling-Station-Id\",\"Client ID\":\"10.36.6.80\",\"Local ID\":\"E0CB4E80E766\",\"Device type\":\"ASUSTek COMPUTER INC.\",\"Guest\":\"yes\",\"Violation Reason\":\"Pornography\",\"Mitigation Action\":\"Substitute (Domain Name)\",\"Malicious Domains\":\"playboy.com\",\"RPZ Severity\":\"MAJOR\",\"RPZ Entries\":\"site1-alias-blocking.parental_control.com\",\"Total Subscriber Hits\":\"1\",\"IP Space Discriminator\":\"N/A\"}], \"highlighted\":{}}" }, { "name": "get job output JSON - yesterday", "originalRequest": { "method": "GET", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" }, { "key": "Authorization", "value": "Splunk {{this_sessionKey}}" } ], "body": { "mode": "raw", "raw": "" }, "url": { "raw": "{{RS}}{{search}}{{this_sid}}/results?output_mode=json", "host": [ "{{RS}}{{search}}{{this_sid}}" ], "path": [ "results" ], "query": [ { "key": "output_mode", "value": "json" } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "plain", "header": [ { "key": "Connection", "value": "Keep-Alive", "name": "Connection", "description": "Options that are desired for the connection" }, { "key": "Content-Type", "value": "text/plain", "name": "Content-Type", "description": "The mime type of this content" }, { "key": "Date", "value": "Fri, 20 Apr 2018 00:48:01 GMT", "name": "Date", "description": "The date and time that the message was sent" }, { "key": "Keep-Alive", "value": "timeout=100", "name": "Keep-Alive", "description": "Custom header" }, { "key": "Transfer-Encoding", "value": "chunked", "name": "Transfer-Encoding", "description": "The form of encoding used to safely transfer the entity to the user. Currently defined methods are: chunked, compress, deflate, gzip, identity." }, { "key": "WWW-Authenticate", "value": "Basic realm=\"InfoBlox REPORTING Platform\"", "name": "WWW-Authenticate", "description": "Indicates the authentication scheme that should be used to access the requested entity." } ], "cookie": [], "body": "{\"preview\":false,\"init_offset\":0,\"messages\":[{\"type\":\"INFO\",\"text\":\"Your timerange was substituted based on your search string\"}],\"fields\":[{\"name\":\"Subscriber_ID\"},{\"name\":\"Local_ID\"},{\"name\":\"Guest\"},{\"name\":\"CLIENT\"},{\"name\":\"threat_hit\"},{\"name\":\"QCOUNT\"},{\"name\":\"MITIGATION_ACTION\"},{\"name\":\"RPZ_SEVERITY\"},{\"name\":\"RPZ_QNAME\"},{\"name\":\"threat_name\"},{\"name\":\"public_description\"}],\"results\":[{\"Subscriber_ID\":\"N/A\",\"Local_ID\":\"N/A\",\"Guest\":\"No\",\"CLIENT\":\"10.61.42.221\",\"threat_hit\":\"www.lumi.do\",\"QCOUNT\":\"36\",\"MITIGATION_ACTION\":\"Substitute (A)\",\"RPZ_SEVERITY\":\"MAJOR\",\"RPZ_QNAME\":\"www.lumi.do.subserv-rpz-04\"},{\"Subscriber_ID\":\"N/A\",\"Local_ID\":\"N/A\",\"Guest\":\"No\",\"CLIENT\":\"10.61.42.221\",\"threat_hit\":\"www.lumi.do\",\"QCOUNT\":\"36\",\"MITIGATION_ACTION\":\"Substitute (AAAA)\",\"RPZ_SEVERITY\":\"MAJOR\",\"RPZ_QNAME\":\"www.lumi.do.subserv-rpz-04\"}], \"highlighted\":{}}" } ] }, { "name": "4 bis - get job output CSV", "event": [ { "listen": "test", "script": { "id": "c04b3264-c0cc-4d63-8722-f7574b55f7cc", "exec": [ "pm.test(\"non JSON output received\", function() {", " pm.response.to.have.body() ", " pm.response.to.not.have.jsonBody()", "});" ], "type": "text/javascript" } } ], "request": { "auth": { "type": "noauth" }, "method": "GET", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" }, { "key": "Authorization", "value": "Splunk {{this_sessionKey}}" } ], "body": { "mode": "raw", "raw": "" }, "url": { "raw": "{{RS}}{{search}}{{this_sid}}/results?output_mode=csv", "host": [ "{{RS}}{{search}}{{this_sid}}" ], "path": [ "results" ], "query": [ { "key": "output_mode", "value": "csv" } ] }, "description": "uses passed sid to get search output." }, "response": [ { "name": "get job output CSV", "originalRequest": { "method": "GET", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" }, { "key": "Authorization", "value": "Splunk {{this_sessionKey}}" } ], "body": { "mode": "raw", "raw": "" }, "url": { "raw": "{{RS}}{{search}}{{this_sid}}/results?output_mode=csv", "host": [ "{{RS}}{{search}}{{this_sid}}" ], "path": [ "results" ], "query": [ { "key": "output_mode", "value": "csv" } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "plain", "header": [ { "key": "Connection", "value": "Keep-Alive", "name": "Connection", "description": "Options that are desired for the connection" }, { "key": "Content-Type", "value": "text/plain", "name": "Content-Type", "description": "The mime type of this content" }, { "key": "Date", "value": "Sun, 15 Apr 2018 04:36:09 GMT", "name": "Date", "description": "The date and time that the message was sent" }, { "key": "Keep-Alive", "value": "timeout=100", "name": "Keep-Alive", "description": "Custom header" }, { "key": "Transfer-Encoding", "value": "chunked", "name": "Transfer-Encoding", "description": "The form of encoding used to safely transfer the entity to the user. Currently defined methods are: chunked, compress, deflate, gzip, identity." }, { "key": "WWW-Authenticate", "value": "Basic realm=\"InfoBlox REPORTING Platform\"", "name": "WWW-Authenticate", "description": "Indicates the authentication scheme that should be used to access the requested entity." } ], "cookie": [], "body": "\"Subscriber ID Value\",\"Subscriber ID Type\",\"Client ID\",\"Local ID\",\"Device type\",Guest,\"Violation Reason\",\"Mitigation Action\",\"Malicious Domains\",\"RPZ Severity\",\"RPZ Entries\",\"Total Subscriber Hits\",\"IP Space Discriminator\"\n\"N/A\",\"N/A\",\"10.36.6.80\",\"N/A\",\"N/A\",No,\"RPZ:rpz10.com\",\"Block (No Such Domain)\",\"nxd10.com\",MAJOR,\"nxd10.com.rpz10.com\",610363,\"N/A\"\n\"N/A\",\"N/A\",\"10.36.6.80\",\"N/A\",\"N/A\",No,\"RPZ:rpz8.com\",\"Block (No Such Domain)\",\"nxd8.com\",MAJOR,\"nxd8.com.rpz8.com\",610363,\"N/A\"\n\"N/A\",\"N/A\",\"10.36.6.80\",\"N/A\",\"N/A\",,\"N/A\",\"Substitute (A)\",\"nxd_rule1.com\",MAJOR,\"nxd_rule1.com.rpz10.com\",610363,\"N/A\"\n13,Class,\"10.36.6.80\",\"N/A\",\"N/A\",No,\"RPZ:rpz9.com\",\"Block (No Such Domain)\",\"nxd9.com\",MAJOR,\"nxd9.com.rpz9.com\",12,\"N/A\"\n13,Class,\"10.36.6.80\",\"N/A\",\"N/A\",No,Pornography,\"Substitute (Domain Name)\",\"nxd9.com\",MAJOR,\"site1-alias-blocking.parental_control\",12,\"N/A\"\n13,Class,\"10.36.6.80\",\"N/A\",\"N/A\",No,Pornography,\"Substitute (Domain Name)\",\"playboy.com\",MAJOR,\"site1-alias-blocking.parental_control\",12,\"N/A\"\n9956182386,\"Calling-Station-Id\",\"10.36.6.80\",\"N/A\",\"N/A\",No,\"RPZ:rpz10.com\",\"Block (No Such Domain)\",\"nxd10.com\",MAJOR,\"nxd10.com.rpz10.com\",4,\"N/A\"\n9956182386,\"Calling-Station-Id\",\"10.36.6.80\",\"N/A\",\"N/A\",,\"N/A\",\"Block (No Such Domain)\",\"xdn1.com\",MAJOR,\"xdn1.com.cc.com\",4,\"N/A\"\n9956182386,\"Calling-Station-Id\",\"10.36.6.80\",E0CB4E80E766,\"ASUSTek COMPUTER INC.\",yes,Pornography,\"Substitute (Domain Name)\",\"playboy.com\",MAJOR,\"site1-alias-blocking.parental_control.com\",1,\"N/A\"\n" } ] }, { "name": "Debug - get job status", "event": [ { "listen": "test", "script": { "id": "1c0bf2a6-8eb0-44f5-af04-dd9d8cecee4a", "exec": [ "let jsondata = pm.response.json();", "console.log(\"JSON response:\", jsondata)", "console.log(\"this_status:\",jsondata.entry[0].content.isDone)", "", "pm.test(\"the search has not completed\", function() {", " pm.expect(jsondata.entry[0].content.isDone).to.be.false", "});", "", "pm.test(\"the search has completed\", function() {", " pm.expect(jsondata.entry[0].content.isDone).to.be.true", "});", "", "if (!(jsondata.entry[0].content.isDone)) {", " postman.setNextRequest(\"get job status\");", "} else {", " postman.setNextRequest(\"get job output CSV\");", "}" ], "type": "text/javascript" } }, { "listen": "prerequest", "script": { "id": "a4a5b01b-696d-4466-b039-b2cbf767dba0", "exec": [ "setTimeout(function() { }, 5000 );" ], "type": "text/javascript" } } ], "request": { "auth": { "type": "noauth" }, "method": "GET", "header": [ { "key": "Authorization", "value": "Splunk {{this_sessionKey}}" } ], "body": { "mode": "raw", "raw": "" }, "url": { "raw": "{{RS}}{{search}}{{this_sid}}?output_mode=json", "host": [ "{{RS}}{{search}}{{this_sid}}" ], "query": [ { "key": "output_mode", "value": "json" } ] }, "description": "This task waits 5 seconds\nGets the status of the serach job submitted to Splunk.\nTest reports on status of job" }, "response": [] } ] }