ves-io-schema-log-CustomAPI-FirewallLogAggregationQuery

Examples of performing log CustomAPI FirewallLogAggregationQuery

Usecase:

Firewall Log Aggregation query for virtual host vhost1 in namespace ns1

Request:

Request using vesctl:

vesctl request rpc log.CustomAPI.FirewallLogAggregationQuery -i request.yaml --uri /public/namespaces/system/firewall_logs/aggregation --http-method POST

where file request.yaml has following contents:

aggs:
  date_histogram:
    dateAggregation:
      step: 1h
  site:
    fieldAggregation:
      topk: 3
  unique_dst_ip:
    cardinalityAggregation:
      field: DST_IP
endTime: "1591131600"
query: '{policy_hits.result="deny"}'
startTime: "1591120800"

vesctl yaml response:

aggs:
  date_histogram:
    dateAggregation:
      buckets:
      - count: "224"
        subAggs: {}
        time: "1591120800000"
      - count: "533"
        subAggs: {}
        time: "1591124400000"
      - count: "525"
        subAggs: {}
        time: "1591128000000"
  site:
    fieldAggregation:
      buckets:
      - count: "456"
        key: site-1
      - count: "230"
        key: site-2
      - count: "45"
        key: site-3
  unique_dst_ip:
    cardinalityAggregation:
      count: "100"
totalHits: "1282"

Request using curl:

curl -X 'POST' -d '{"query":"{policy_hits.result="deny"}","startTime":"1591120800","endTime":"1591131600","aggs":{"date_histogram":{"dateAggregation":{"step":"1h"}},"site":{"fieldAggregation":{"topk":3}},"unique_dst_ip":{"cardinalityAggregation":{"field":"DST_IP"}}}}' -H 'Content-Type: application/json' -H 'X-Volterra-Useragent: v1/pgm=_tmp_go-build186851157_b001_apidocs.test/host=docker-desktop' 'https://acmecorp.console.ves.volterra.io/api/data/namespaces/system/firewall_logs/aggregation'

curl response:

HTTP/1.1 200 OK
Content-Length: 1163
Content-Type: application/json
Date: Tue, 24 Nov 2020 10:46:19 GMT
Vary: Accept-Encoding

{
  "total_hits": "1282",
  "aggs": {
    "date_histogram": {
      "date_aggregation": {
        "buckets": [
          {
            "time": "1591120800000",
            "count": "224",
            "sub_aggs": {
            }
          },
          {
            "time": "1591124400000",
            "count": "533",
            "sub_aggs": {
            }
          },
          {
            "time": "1591128000000",
            "count": "525",
            "sub_aggs": {
            }
          }
        ]
      },
      "field_aggregation": null,
      "cardinality_aggregation": null
    },
    "site": {
      "date_aggregation": null,
      "field_aggregation": {
        "buckets": [
          {
            "key": "site-1",
            "count": "456"
          },
          {
            "key": "site-2",
            "count": "230"
          },
          {
            "key": "site-3",
            "count": "45"
          }
        ]
      },
      "cardinality_aggregation": null
    },
    "unique_dst_ip": {
      "date_aggregation": null,
      "field_aggregation": null,
      "cardinality_aggregation": {
        "count": "100"
      }
    }
  }
}