TopN Query for Flows
This endpoint returns a top N sorted list of values of specified dimension where rank in the list is determined by the aggregate of specified metric.
POST /openapi/v1/flowsearch/topn
Parameters:
The list of columns that can be specified in the filter criteria can be obtained by /openapi/v1/flowsearch/dimensions API. The body of the request should be a JSON formatted query. An example of a query body is shown below. Parameters t0 and t1 in the request body can be in epoch format or in ISO 8601 format. TopN API only allows querying maximum time range of one day. The dimension on which the grouping has to be done should be specified through dimension. The metric by which top N results need to ranked should be specified in metric field in the JSON body. You should specify a threshold with a minimum value of 1 which signifies the ‘N’ in ‘TopN’. The maximum value of this threshold is 1000. Even if the user specify more than 1000 the API returns only a maximum of 1000 results. In addition, you must specify a parameter called scopeName which is the full name of the scope to which you want to restrict the search. The filter is same as that of filter of Flow Search Filters
. If the filter is not mentioned, the topN is applied on all the flow entries.
{
"t0": "2016-06-17T09:00:00-0700", # t0 can also be 1466179200
"t1": "2016-06-17T17:00:00-0700", # t1 can also be 1466208000
"dimension": "src_address",
"metric": "fwd_pkts",
"filter": {"type": "eq", "field": "src_address", "value": "172.29.203.193"}, #optional
"threshold": 5,
"scopeName": "Default"
}
The query body consists of a JSON body with the following keys.
|
Keys |
Values |
|---|---|
|
t0 |
Start time of the Flow (epoch or ISO 8601) |
|
t1 |
End time of the Flow (epoch or ISO 8601) |
|
filter |
Query filter. If filter is empty (i.e. {}),or filter is absent (optional) then topN query is applied on all flow entries |
|
scopeName |
Full name of the scope to which query is restricted to |
|
dimension |
The dimension is a field on which we are grouping. |
|
metric |
The metric is the total count of values of the dimension. |
|
threshold |
Threshold is N in the topN. |
Response object:
|
Keys |
Values |
|---|---|
|
result |
Array of the top N entries |
Sample python code
req_payload = {
"t0": "2017-06-07T08:20:00-07:00",
"t1": "2017-06-07T14:20:00-07:00",
"dimension": "src_address",
"metric": "fwd_pkts",
"filter": {"type": "ne", "field": "src_address", "value": "172.29.203.193"},
"threshold": 5,
"scopeName": "Default"
}
resp = rc.post('/flowsearch/topn',
json_body=json.dumps(req_payload))
print resp.status_code
if resp.status_code == 200:
parsed_resp = json.loads(resp.content)
print json.dumps(parsed_resp)
Sample response
[
{ "result": [
{"src_address": "172.31.239.163", "fwd_pkts": 23104},
{"src_address": "172.31.239.162", "fwd_pkts": 22410},
{"src_address": "172.31.239.166", "fwd_pkts": 16185},
{"src_address": "172.31.239.168", "fwd_pkts": 15197},
{"src_address": "172.31.239.169", "fwd_pkts": 15116}
]
}
]