Programmatic extraction via REST API for Log Data via Concentrator & Log Decoder

Discussion created by JohnyBricks on Mar 27, 2013


Most of the examples and guidance provided on this forum are Packet centric. So, In an attempt to share some of the things that I have been able to get working, I'm going to share some PERL source code.


use Time::ParseDate qw(parsedate);

# Extract the session ids for a particular input criteria - This is very basic criteria. Please add your own specific criteria here

@session_string=`/usr/bin/curl --user "xxxx:xxxx" "http://concentrator_ip:50105/sdk?msg=query&id1=0&id2=0&size=100&query=select%20sessionid+where+device.type='ciscoasa'"`;

# Loop through Each and every session string to extract the session ids
foreach $session(@session_string){

  if ($session =~ /sessionid/)  {
                ($session_id) = ($session=~ /(>[0-9]{1,15}<)/);
                $session_id =~ s/[>,<]//g;

         push (@sessions,$session_id);


# Debug Message to see that all the session ids were extracted
foreach $session(@sessions) {
print "The session is $session\n";


# Create a comma delimited string that will be directly consumed by the REST API

$session_id_commas = join(',',@sessions);

print " $session_id_commas\n";

# Extract the Raw Log Messages based on the criteria stated above and save that to the output.txt file
@session_line=`curl --user 'admin:netwitness' -o output.txt 'http://decoder_ip:50102/sdk/packets?&sessions=$session_id_commas&render=logs'`