SumoLogic · ciaran-finnegan · Jun 6, 2019 · Jun 6, 2019 · Jun 6, 2019 · duchatran
diff --git a/scripts/search-job-messages-trend-antimalware.py b/scripts/search-job-messages-trend-antimalware.py
@@ -0,0 +1,48 @@
+# Submits search job, waits for completion, then prints and emails _messages_
+# (as opposed to records).  Pass the query via stdin.
+#
+# python search-job-messages.py <accessId> <accessKey> <fromDate> <toDate> <timeZone> <byReceiptTime>
+#
+# Note: fromDate and toDate must be either ISO 8601 date-times or epoch
+#       milliseconds
+#
+# Example:
+#
+# cat python search-job-messages.py <accessId> <accessKey> 1408643380441 1408649380441 PST false
+
+import json
+import sys
+import time
+
+from sumologic import SumoLogic
+
+# limit may not be necessary (Ciaran)
+LIMIT = 1000000
+
+args = sys.argv
+sumo = SumoLogic(args[1], args[2], args[3])
+fromTime = args[4]
+toTime = args[5]
+timeZone = args[6]
+byReceiptTime = args[7]
+
+delay = 5
+
+q = '_sourceCategory = zeus/trend | where signature_id >= 4000000 AND signature_id <= 4999999 | timeslice 30m | count _timeslice, Action | transpose row _timeslice column Action'
+
+sj = sumo.search_job(q, fromTime, toTime, timeZone, byReceiptTime)
+
+status = sumo.search_job_status(sj)
+while status['state'] != 'DONE GATHERING RESULTS':
+    if status['state'] == 'CANCELLED':
+        break
+    time.sleep(delay)
+    status = sumo.search_job_status(sj)
+
+print(status['state'])
+
+if status['state'] == 'DONE GATHERING RESULTS':
+    count = status['messageCount']
+    limit = count if count < LIMIT and count != 0 else LIMIT # may not be necessary (Ciaran)
+    r = sumo.search_job_messages(sj, limit=limit)
+    print(r)
diff --git a/scripts/search-job-messages.py b/scripts/search-job-messages.py
@@ -1,31 +1,29 @@
 # Submits search job, waits for completion, then prints and emails _messages_
 # (as opposed to records).  Pass the query via stdin.
 #
-# cat query.sumoql | python search-job-messages.py <accessId> <accessKey> \
-# <fromDate> <toDate> <timeZone> <byReceiptTime>
+# cat query.sumoql | python search-job-messages.py <accessId> <accessKey> <fromDate> <toDate> <timeZone> <byReceiptTime>
 #
 # Note: fromDate and toDate must be either ISO 8601 date-times or epoch
 #       milliseconds
 #
 # Example:
 #
-# cat query.sumoql | python search-job-messages.py <accessId> <accessKey> \
-# 1408643380441 1408649380441 PST false
+# cat query.sumoql | python search-job-messages.py <accessId> <accessKey> 1408643380441 1408649380441 PST false
 
 import json
 import sys
 import time
 
 from sumologic import SumoLogic
 
-LIMIT = 42
+LIMIT = 1000000
 
 args = sys.argv
-sumo = SumoLogic(args[1], args[2])
-fromTime = args[3]
-toTime = args[4]
-timeZone = args[5]
-byReceiptTime = args[6]
+sumo = SumoLogic(args[1], args[2], args[3])
+fromTime = args[4]
+toTime = args[5]
+timeZone = args[6]
+byReceiptTime = args[7]
 
 delay = 5
 q = ' '.join(sys.stdin.readlines())

diff --git a/scripts/search-job.py b/scripts/search-job.py
@@ -1,16 +1,14 @@
 # Submits search job, waits for completion, then prints and emails results.
 # Pass the query via stdin.
 #
-# cat query.sumoql | python search-job.py <accessId> <accessKey> \
-# <endpoint> <fromDate> <toDate> <timeZone> <byReceiptTime>
+# cat query.sumoql | python search-job.py <accessId> <accessKey> <endpoint> <fromDate> <toDate> <timeZone> <byReceiptTime>
 #
 # Note: fromDate and toDate must be either ISO 8601 date-times or epoch
 #       milliseconds
 #
 # Example:
 #
-# cat query.sumoql | python search-job.py <accessId> <accessKey> \
-# https://api.us2.sumologic.com/api/v1 1408643380441 1408649380441 PST false
+# cat query.sumoql | python search-job.py <accessId> <accessKey> https://api.us2.sumologic.com/api/v1 1408643380441 1408649380441 PST false
 
 import json
 import sys
@@ -21,7 +19,7 @@
 
 from sumologic import SumoLogic
 
-LIMIT = 42
+LIMIT = 1000000
 
 args = sys.argv
 sumo = SumoLogic(args[1], args[2], args[3])