diff --git a/scripts/search-job-messages-trend-antimalware.py b/scripts/search-job-messages-trend-antimalware.py new file mode 100644 index 0000000..c675957 --- /dev/null +++ b/scripts/search-job-messages-trend-antimalware.py @@ -0,0 +1,48 @@ +# Submits search job, waits for completion, then prints and emails _messages_ +# (as opposed to records). Pass the query via stdin. +# +# python search-job-messages.py +# +# Note: fromDate and toDate must be either ISO 8601 date-times or epoch +# milliseconds +# +# Example: +# +# cat python search-job-messages.py 1408643380441 1408649380441 PST false + +import json +import sys +import time + +from sumologic import SumoLogic + +# limit may not be necessary (Ciaran) +LIMIT = 1000000 + +args = sys.argv +sumo = SumoLogic(args[1], args[2], args[3]) +fromTime = args[4] +toTime = args[5] +timeZone = args[6] +byReceiptTime = args[7] + +delay = 5 + +q = '_sourceCategory = zeus/trend | where signature_id >= 4000000 AND signature_id <= 4999999 | timeslice 30m | count _timeslice, Action | transpose row _timeslice column Action' + +sj = sumo.search_job(q, fromTime, toTime, timeZone, byReceiptTime) + +status = sumo.search_job_status(sj) +while status['state'] != 'DONE GATHERING RESULTS': + if status['state'] == 'CANCELLED': + break + time.sleep(delay) + status = sumo.search_job_status(sj) + +print(status['state']) + +if status['state'] == 'DONE GATHERING RESULTS': + count = status['messageCount'] + limit = count if count < LIMIT and count != 0 else LIMIT # may not be necessary (Ciaran) + r = sumo.search_job_messages(sj, limit=limit) + print(r) diff --git a/scripts/search-job-messages.py b/scripts/search-job-messages.py index 82192e6..e27682c 100644 --- a/scripts/search-job-messages.py +++ b/scripts/search-job-messages.py @@ -1,16 +1,14 @@ # Submits search job, waits for completion, then prints and emails _messages_ # (as opposed to records). Pass the query via stdin. # -# cat query.sumoql | python search-job-messages.py \ -# +# cat query.sumoql | python search-job-messages.py # # Note: fromDate and toDate must be either ISO 8601 date-times or epoch # milliseconds # # Example: # -# cat query.sumoql | python search-job-messages.py \ -# 1408643380441 1408649380441 PST false +# cat query.sumoql | python search-job-messages.py 1408643380441 1408649380441 PST false import json import sys @@ -18,14 +16,14 @@ from sumologic import SumoLogic -LIMIT = 42 +LIMIT = 1000000 args = sys.argv -sumo = SumoLogic(args[1], args[2]) -fromTime = args[3] -toTime = args[4] -timeZone = args[5] -byReceiptTime = args[6] +sumo = SumoLogic(args[1], args[2], args[3]) +fromTime = args[4] +toTime = args[5] +timeZone = args[6] +byReceiptTime = args[7] delay = 5 q = ' '.join(sys.stdin.readlines()) diff --git a/scripts/search-job.py b/scripts/search-job.py index a610a3d..029cfea 100644 --- a/scripts/search-job.py +++ b/scripts/search-job.py @@ -1,16 +1,14 @@ # Submits search job, waits for completion, then prints and emails results. # Pass the query via stdin. # -# cat query.sumoql | python search-job.py \ -# +# cat query.sumoql | python search-job.py # # Note: fromDate and toDate must be either ISO 8601 date-times or epoch # milliseconds # # Example: # -# cat query.sumoql | python search-job.py \ -# https://api.us2.sumologic.com/api/v1 1408643380441 1408649380441 PST false +# cat query.sumoql | python search-job.py https://api.us2.sumologic.com/api/v1 1408643380441 1408649380441 PST false import json import sys @@ -21,7 +19,7 @@ from sumologic import SumoLogic -LIMIT = 42 +LIMIT = 1000000 args = sys.argv sumo = SumoLogic(args[1], args[2], args[3])