Using the REST API v2 dataexport Iterator Endpoints
The Netskope dataexport
endpoints, also called iterator endpoints, provide a simplified way of consuming tenant log information. This article describes the best practices for consumption of this data.
Netskope recommends leveraging existing clients for SIEM integration where possible through the use of the following solutions:
Netskope Cloud Exchange : Cloud Log Shipper Module https://docs.netskope.com/en/netskope-cloud-exchange.html
Netskope Splunk Technical Add-on https://apps.splunk.com/app/3808/
If the aforementioned clients are insufficient, Netskope also provides a python SDK.
Python SDK for dataexport endpoints https://pypi.org/project/netskopesdk/
How Do Iterator Endpoints Function
Through the use of an index, the Netskope platform tracks log consumption though a simplified operational workflow that replicates that often seen in web forums. When a consumer requests a page of data from the endpoint, Netskope delivers the requested data by writing an index as to the data provided. When the consumer has completed processing the requested page of data, the consumer simply requests the next page of data.
Each endpoint stores its own index value, which is provided by the consumer on query. This allows for easy parallelization of API calls across multiple endpoints concurrently.
Note
Multiple consumers leveraging the same endpoint and index concurrently is not supported and could result in the appearance of missing data on the consumer.
Iterator Query Structure
The endpoint query structure is very easy to construct.
https://<tenant>/api/v2/<endpoint>/?operation=<operation>&index=<index>
Supported Iterator Operations
epoch timestamp
: If an epoch timestamp is provided, this informs the Netskope endpoint to begin log consumption starting at this time.next
: The next operation value requests the next page of data from the Netskope endpoint.head
: The head operation value requests the first page of data stored within the Netskope endpoint.tail
: The tail operation value requests the most current page of data stored within the Netskope endpoint.resend
: If the consumer is unable to process the page of data provided, resend operation will issue a retry of the last page of data requested.
The epoch timestamp
, next
, head
, and tail
operations all update the Netskope stored index, where the resend
operation asks for the prior page without updating the index.
Iterator Index
The index value for the iterator is a string value supplied by the consumer that is used by Netskope to store the page values. This index should be unique by consumer to prevent data consumption challenges. The consumer may use the same index value across multiple endpoints without concern.
Page Size
Netskope Iterator endpoints deliver 10,000 record pages per API call.
Wait Time
Each iterator query will provide guidance in seconds how long to wait. This value is calculated based on the amount of data returned in your API call.
{ "ok": 1, "result": [ { } ], "wait_time": 5
Rate Limits
Netskope supports 4 requests per second per iterator endpoint. Using the response headers to manage rate limits to avoid 429 error messages is recommended.
RateLimit-Limit: Rate limits are applied by endpoint, and this value provides the number allowed per second
RateLimit-Remaining: The amount of queries supported before the interval resets before generating a 429 error message.
RateLimit-Reset: The time before the rate limits are reset, this value is in seconds.
HTTP/1.1 200 OK .... RateLimit-Limit: 4 RateLimit-Remaining: 1 RateLimit-Reset: 1 ...
If a Rate is exceeded, the headers will be extended, and the data payload will mention why the query returned a 429 error response.
Retry-After: This is the recommended wait time before retrying your query. This value is in seconds.
HTTP/1.1 429 Too Many Requests ... RateLimit-Remaining: 0 RateLimit-Reset: 1 Retry-After: 1 RateLimit-Limit: 4 ... { "message":"API rate limit exceeded" }
Example
Example of workflow using the iterator endpoint starting with the oldest record Netskope has.
Craft your query using the
operation=head
, and index value.https://<tenant>/api/v2/events/dataexport/events/alert?operation=head&index=demo
Review the
wait_time
attribute in the JSON response."wait_time": 5
Request the next page of data from the endpoint.
https://<tenant>/api/v2/events/dataexport/events/alert?operation=next&index=demo
Repeat steps 2 and 3.