sp-rest-api-tutorial.txt

#+OPTIONS: date:t H:3 ^:{} author:t email:nil num:t title:t makeindex:t
#+OPTIONS: toc:t
#+MACRO: NEWLINE @@latex:\\@@ @@html:<br>@@
#+MACRO: IMAGE @@latex:\\ \vspace{8cm} \hfill \usebox{\titleimage}@@
#+TITLE: Sightline REST API Cookbook {{{NEWLINE}}} Sightline v9.0 {{{NEWLINE}}} API v5
#+DATE: <2018-10-10 Wed>
#+AUTHOR: NETSCOUT|Arbor Networks
#+LATEX_CLASS: tufte-book
# #+LATEX_CLASS: memoir
#+LaTeX_CLASS_OPTIONS: [koma,utopia,12pt,symmetric,notoc]
#+LATEX_HEADER: \usepackage{xcolor}
#+LATEX_HEADER: \usepackage{minted}
#+LATEX_HEADER: \usepackage{makeidx}
#+LATEX_HEADER: \usepackage{grffile}
#+LATEX_HEADER: \setcounter{tocdepth}{1}
#+LATEX_HEADER: \makeindex
#+LATEX_HEADER: \newsavebox{\titleimage}
#+LATEX_HEADER: \savebox{\titleimage}{\includegraphics[height=7\baselineskip]{images/ArborLogo.png}}
#+BEGIN_COMMENT
To use the minted package, you should also add these lines to your
.emacs file:
 -------
(setq org-latex-minted-options '(
                                 ("frame" "lines")
                                 ("fontsize" "\\scriptsize")
                                 ("xleftmargin" "\\parindent")
                                 ("linenos" "")
                                 ("breaklines" "")
                                 ("breakafter" "+")
                                 ))
 -------
if that is untenable to you, comment out the \usepackage{minted} line
above and uncomment the following LATEX_HEADER lines to switch to the
listings package.
#+END_COMMENT
# #+LATEX_HEADER: \usepackage{listings}
# #+LATEX_HEADER: \lstset{
# #+LATEX_HEADER:     frame=single,
# #+LATEX_HEADER:     breaklines=true,
# #+LATEX_HEADER:     showstringspaces=false,
# #+LATEX_HEADER:     postbreak=\raisebox{0ex}[0ex][0ex]{\ensuremath{\color{red}\hookrightarrow\space}}
# #+LATEX_HEADER: }
#+LATEX: \renewcommand \plaintitle{Sightline REST API Cookbook, Sightline v9.0, API v5} % keep the image out of the headers
#+LATEX: \renewcommand{\ref}{\nameref}

* Introduction

  NETSCOUT Sightline (formerly Arbor Networks SP) is a very
  sophisticated piece of software that gives visibility into the
  network traffic on networks ranging up to those that are massively
  large; Sightline supports hundreds of configuration parameters for
  defining what exactly visibility means and the reported data from
  Sightline is very rich and very broad.  Almost no network operators
  who use Sightline make use of the entire range of its capabilities.

  The configuration of Sightline and the management of its data is
  done in two ways: the Sightline web-based UI and the web-based API
  interfaces to Sightline.  While Sightline (and SP before it) has had
  APIs for many versions, the versions starting with SP 8.1 have had a
  REST API as one of the options for configuration and data retrieval.

  This book describes how to programmatically configure Sightline and
  get data about your network from Sightline using a json:api-based
  REST API to Sightline.

  #+INDEX: REST
  #+INDEX: SOAP API
  REST is a common, HTTP-based protocol that defines web-based
  services that allow clients (sometimes called "requesting systems")
  to access and manipulate textual representations (in the case of
  Sightline, JSON representations) of Sightline configuration and
  reporting data (generically called "Web resources") using a uniform
  and predefined set of stateless, from the client's perspective,
  operations.  All of the state, configuration and data, is maintained
  within Sightline, not by the API client.  The API described here is
  the Sightline REST API.  Sightline has other APIs (SOAP and
  WebServices) that are documented in other Sightline documentation.
  The intent of the Sightline REST API is to, over time, include all
  of the functionality of the SOAP and WebServices API, at which point
  those will be deprecated.

  #+INDEX: jsonapi
  The Sightline REST API uses a particular API-focused JavaScript
  Object Notation (JSON) format to represent its data.  JSON is a
  textual representation of data in collections (Python calls these
  dictionaries, C calls them structures, Go calls them maps, Ruby and
  Perl call them hashes) and lists (Python and Perl also calls them
  lists, Go calls them slices, C and Ruby call them arrays).  The
  elements in collections and lists are other collections, other
  lists, Boolean values, numeric values, or string values as described
  by the JSON specification (http://www.json.org/).  The particular
  JSON representation that the Sightline REST API adheres to is called
  json:api (http://jsonapi.org/); the rules and guidelines described
  in Version 1.0 of the json:api specification are implemented for the
  Sightline REST API.

  The Sightline REST API is under development.  Each release of Arbor
  Networks SP or Sightline after SP version 8.0 includes a REST API
  that has more features than the prior release.  Arbor Networks
  expects that the REST API will not be complete for several years,
  but incremental steps will be included in each version of Sightline.
  This book describes Version 5 of the API that is included in
  Sightline 9.0.  (The versioning mechanism is described in more
  detail in the section [[Guiding Principles of the Sightline REST API]].)

  This book is intended for the Sightline administrator or advanced
  user who has some programming or shell scripting experience and who
  wants to automate network management or reporting tasks, or combine
  Sightline data with other sources of data for reporting,
  configuration, or decision making.


** Conventions Used in this Book

   Things in a fixed-width font are either input or output, for the
   most part.

   See the section [[Reporting Errors to Arbor]] for advice on how to
   provide feedback.

   This is a collaborative document, feedback, additions, edits,
   changes, modifications, etc. are all greatly appreciated.  Please
   see the section [[Contributing and other technical details]] for advice
   on ways to contribute.

   The examples that were written for a version of Sightline and its
   REST API will report their version in both their =meta= object and
   in the URLs; those examples are not generally reproduced for the
   latest version, but also should continue to work even on the latest
   version (as well as on the prior version of the API in newer
   versions of Sightline.  Put another way, if you see an example that
   uses a URL with a specific =/v[VersionNumber]/= in it or example
   output that includes a =meta= object like
   #+BEGIN_EXAMPLE
     "meta": {
         "api": "SP",
         "api_version": "3",
         "sp_build_id": "HGRD",
         "sp_version": "8.3"
     }
   #+END_EXAMPLE
   you can, in probably all cases, use the latest version of Sightline
   and the REST API safely.  Alternatively, you can use the latest
   version of Sightline and the specified version of the REST
   API.[fn:8]

** Sightline APIs

   #+INDEX: SOAP API
   NETSCOUT Sightline has three officially supported types of APIs:
   the SOAP API, the WebServices API, and the REST API.

   The SOAP and WebServices API are documented in the online Sightline
   documentation and in the API software development kit available
   from the Sightline web UI at the Administration > Download Arbor
   API SDK menu item.

   Arbor Networks has decided to focus on the REST API (the topic of
   this book) for its future development with the goal of encompassing
   the functionality of the other APIs, the Sightline command-line
   interface, and all of the functionality provided by the web-based
   UI that is the most familiar to Sightline users.

   As you develop clients for Sightline's APIs, keep in mind that the
   REST API is the officially preferred API for Sightline.  However,
   in this version (and, likely, several upcoming versions), the REST
   API does not provide all of the functionality of the SOAP and
   WebServices APIs.  Arbor recommends using the REST API where you
   can in your clients, and augmenting it with API requests to the
   other APIs, replacing those requests as the REST API gains
   functionality.

** Guiding Principles of the Sightline REST API

   As Arbor Networks develops the REST API, we abide by some standards
   and principles that you can rely on as you you create API clients.
*** JSON API
    #+INDEX: jsonapi
    The first of these guidelines is that the structure of the JSON
    that is used for input and output from the API follows the JSON
    API specification ([[http://jsonapi.org/]]).  While you don't need to
    understand the specification to use the Sightline REST API, it may
    help answer some questions about why things are the way they are
    in the API, and how Arbor is likely to handle future additions to
    the API.
*** Useful Errors for Humans and Computers
    #+INDEX: errors
    The second guideline is that the Sightline REST API should provide
    you with useful error messages that can be interpreted by both a
    human and a computer program.  Arbor makes use of a combination of
    HTTP response codes as described in Section 10 of RFC 2616
    (https://www.ietf.org/rfc/rfc2616.txt) and error objects that
    contain some or all of an error title string, an error detail
    string, an HTTP status code string, and a pointer to the error in
    the input.  An example error object that resulted from the REST
    client requesting a nonexistent endpoint is:
    #+NAME: errorExample
    #+CAPTION: Error Example
    #+BEGIN_SRC json
      {
          "detail": "Resource https://leader.example.com/api/sp/asdf could not be found.",
          "meta": {
              "api": "SP",
              "api_version": "2",
              "sp_build_id": "HGRD",
              "sp_version": "8.3"
          },
          "status": "404",
          "title": "Missing resource error."
      }
    #+END_SRC
    This error object contains the error detail, status code, and
    title along with the standard ="meta"= section which gives
    information about the API itself.  Error objects are further
    described in the JSON API specification in the /Errors/ section
    (http://jsonapi.org/format/#errors).

*** Backward compatibility
    Another guideline is that the REST API will maintain
    backward-compatibility as it increases in version.  The version
    for the API is a combination of the Sightline version and the API
    version number; in the example above the API version would be
    reported as "SP v8.3, API v2".  It is possible that there will be
    an API v2 for SP v8.2.3 that is different from the API v2 for SP
    v8.3.  NETSCOUT|Arbor will retain at least one prior version of
    the API in each version of SP so if you have written clients that
    use v3 of the API in SP v8.4 and upgrade to Sightline v9.0 that
    defaults API v4, you can still access API v3 in Sightline v9.0
    with your clients while you work to migrate them to the latest
    version.  API version increases will happen when Arbor Networks
    introduces a change in the API that could potentially break
    existing clients; this includes things like changing the name of
    an API key, changing the type of an API value, or removing an API
    endpoint.  Adding keys and endpoints is not considered breaking,
    as well-written API clients should ignore extra data returned to
    them.
*** Discoverability
    #+INDEX: HATEOAS
    #+INDEX: Fielding, Roy
    Arbor Networks makes every effort to ensure the Sightline REST API
    is fully discoverable from the root URL, =/api/sp/=.  Starting
    there, every response you receive may contain an object called
    =relationships= that will lead you to the related objects.  There
    are no detached nodes of the API tree.  This is called Hypermedia
    as the Engine of Application State (HATEOAS) and is defined[fn:1]
    by Roy T. Fielding (the inventor of REST) as:
    #+BEGIN_QUOTE
    A REST API should be entered with no prior knowledge beyond the
    initial URI (bookmark) and set of standardized media types that
    are appropriate for the intended audience (i.e., expected to be
    understood by any client that might use the API). From that point
    on, all application state transitions must be driven by client
    selection of server-provided choices that are present in the
    received representations or implied by the user’s manipulation of
    those representations. The transitions may be determined (or
    limited by) the client’s knowledge of media types and resource
    communication mechanisms, both of which may be improved on-the-fly
    (e.g., code-on-demand).
    #+END_QUOTE
    In the case of the Sightline REST API, the "initial URI" is
    https://sightline-leader.example.com/api/sp/ and following that
    the elements in the =links= objects provide connectivity to the
    rest of the API.

** Online Reference Manual

   The Sightline REST API includes a reference manual for each
   endpoint with a description of each key in that endpoint; there are
   very few examples of using the API in the reference manual (hence
   this book), but all of the endpoints and their properties are
   listed for all of the versions of the API supported on the
   installed version of Sightline.

   In addition, changes between versions are in the Deprecation Policy
   section of the reference manual.

   This book will often make reference to the online reference manual;
   having access to that manual will be helpful as you develop
   clients.  The online reference manual is available from the Arbor
   Sightline UI by selecting the "REST API Documentation" from the
   "Administration" menu.  A PDF copy of this is available from your
   local engineer or from the Arbor Technical Assistance Center.

* Set-up
** Permissions, Access Tokens, and SSL Certificates

*** Access Tokens
    #+INDEX: token
    Sightline REST API tokens are created from the Sightline command
    line interface with the command:
    #+BEGIN_SRC sh
    / services aaa local apitoken generate admin "comment"
    #+END_SRC
    where =admin= is the username of the administrative user and
    ="comment"= is a useful comment for you.  Arbor recommends the
    local name of the user and the date the token is created, for
    example:
    #+BEGIN_SRC sh
    / services aaa local apitoken generate admin "fred@example.com 2017-07-01"
    #+END_SRC

    You can list the tokens that have been created with the command:
    #+BEGIN_SRC sh :exports code
    / services aaa local apitoken show
    #+END_SRC
    which will result in a list of API tokens and their associated
    comments, something like this:
    #+LATEX: \scriptsize
    #+BEGIN_EXAMPLE
      admin:
       wz8SmDeJRSkz_0kNbdSajSQ_Jk82EVOqRU6CPU_O  susy@example.com - 2017-06-01
       YK3va5ATpXdmTWwfgzZPBckrj7zue205CzjLBtK5  fred@example.com - 2017-07-01
    #+END_EXAMPLE
    #+LATEX: \normalsize

    To remove the token =YK3va5ATpXdmTWwfgzZPBckrj7zue205CzjLBtK5= type
    the command:
    #+BEGIN_SRC sh :exports code
    / services aaa local apitoken remove YK3va5ATpXdmTWwfgzZPBckrj7zue205CzjLBtK5
    #+END_SRC
*** SSL Certificates
    #+INDEX: ssl
    All Sightline REST API requests should use the secure HTTP
    transport (=https=).  This will ensure that your API key and the
    contents of requests and responses are encrypted.  In addition,
    Sightline will attempt to redirect unencrypted HTTP requests to
    the encrypted port, but that can affect the use of the POST and
    PATCH options.

    Sightline comes with its own SSL certificate, and your
    organization may also add their own; to verify that your
    communications are secure, you will need a copy of that
    certificate.  The person who maintains your Sightline deployment
    should be able to provide that to you; if you have shell access to
    the Sightline leader, the file containing the certificates is at
    =/etc/ca-bundle.crt=.  Copying that file to your API client's
    environment will allow you to refer to it.  In the examples in
    this book that file is referred to at =certfile= in most places.
** Useful Tools

   When working with REST APIs there are several common actions that
   you will take: getting data from the API, processing retrieved
   data, and sending data to the API.  There are many free programs
   that can help you do this in an interactive way.  This can be
   useful during development of more complicated programs, for quick
   API queries that don't require a whole program, for use in a shell
   script, or for interactively working the Sightline REST API.

   Examples later in this book will make use of at least some of these
   tools.

*** Any web browser

    The Sightline API is available via any web browser by simply going
    to a URL of the form
    =https//sightline-leader.example.com/api/sp/=; this will present a
    nicely formatted web page showing the request and the results.
    It's not as convenient as other tools (cURL or HTTPie, see the
    following section) for actions other than GET, but as a quick test
    of an API request, it can be very handy.  An example of how it
    looks is in Figure [[fig:api-results-web-browser]].
     #+CAPTION: The Sightline REST API can be accessed using a web browser
     #+CAPTION: and the query and results are displayed nicely.
     #+NAME:    fig:api-results-web-browser
     [[./images/api-results-web-browser.png]]

*** cURL
    #+INDEX: curl!command line
    cURL is a classic program (dating back to 1997) for accessing HTTP
    services from the command line.  It is open source and available
    for free from the main cURL website http://curl.haxx.se or via
    package managers for your platform.  cURL is available for 34
    different operating systems, so should work in almost all
    scenarios.  There are more modern and feature-rich tools for
    accessing REST APIs (or other HTTP services), but cURL is nearly
    ubiquitous.
**** Getting data with cURL

     An example of using cURL to get data from Sightline via the
     Sightline REST API is:
     #+BEGIN_SRC sh :exports code
     curl --cacert certfile --ssl -X GET -H "Content-Type:application/vnd.api+json" -H "X-Arbux-APIToken:wz8SmD3JRSKz_0kNbdSejSQ_Jk92EVOqRU6CPU_O" https://leader.example.com/api/sp/
     #+END_SRC

     In order of appearance, the options used in the =curl= command
     above are:
      - =--cacert certfile= tells =curl= to use the SSL certificate
        called =certfile= (more on this later)
      - =--ssl= tells =curl= to use Secure Sockets Layer (SSL) for its
        connection
      - =-X GET= tells =curl= to issue an HTTP =GET= command (more on
        this later, too)
      - =-H "Content-Type:application/vnd.api+json"= sends the HTTP
        header =Content-Type= set to the value of
        =application/vnd.api+json=.  Other than the endpoints at
        =/insight/=, all of the Sightline API uses this content type
      - =-H
        "X-Arbux-APIToken:wz8SmD3JRSKz_0kNbdSejSQ_Jk92EVOqRU6CPU_O"=
        sends the HTTP header =X-Arbux-APIToken= set to the value of
        the API key that was set via the Sightline command line
      - =https://leader.example.com/api/sp/= which is the URL
        (hostname and endpoint) that is requested.  In this case, it is
        the index endpoint for the API.

     The output of this particular command is the index of the
     Sightline REST API represented as a JSON object (defined by the
     outer-most curly braces) with two JSON objects in it, =meta= and
     =links=.

     Successful requests for data from the Sightline REST API will
     return the requested data along with the HTTP status code =200
     OK=.

     #+BEGIN_COMMENT
     #+BEGIN_QUOTE
     A brief aside:

     The =meta= object tells you a little about the version of
     Sightline and the API on the Sightline leader you are connecting
     to.  This is most useful when writing clients that need to work
     with more than one version of Sightline and when submitting
     questions to the Arbor Technical Assistance Center (ATAC).  The
     =links= object contains a map between the endpoint type (for
     example, =alert=) and the URL where that data is accessible in
     this version (in the case of =alert=, that is
     =https://leader.example.com/api/sp/v3/alerts/=).
     #+INDEX: /alerts/ endpoint
     You should try to write your clients using this mapping; the key
     names will not change, but the URLs may and if your program uses
     the key names, this won't affect you as you upgrade Sightline.
     #+END_QUOTE
     #+END_COMMENT
**** Sending data with cURL

     An example of using cURL to send data to Sightline via the
     Sightline REST API is:
     #+INDEX: /alerts/ endpoint
     #+INDEX: /alerts/ endpoint!annotations
     #+BEGIN_SRC sh :results output :exports code
       curl --cacert certfile --ssl -X POST -H "Content-Type:application/vnd.api+json" -H "X-Arbux-APIToken:wz8SmD3JRSKz_0kNbdSejSQ_Jk92EVOqRU6CPU_O" -d @input.json https://leader.example.com/api/sp/alerts/12519/annotations/
     #+END_SRC

     In order of appearance, the options used in the =curl= command
     above are:
      - =--cacert certfile= tells =curl= to use the SSL certificate
        called =certfile= (more on this later)
      - =--ssl= tells =curl= to use Secure Sockets Layer (SSL) for its
        connection
      - =-X POST= tells =curl= to issue an HTTP =POST= command (more
        on this later, too)
      - =-H "Content-Type:application/vnd.api+json"= sends the HTTP
        header =Content-Type= set to the value of
        =application/vnd.api+json=.  Other than the endpoints at
        =/insight/=, all of the Sightline API uses this content type
      - =-H
        "X-Arbux-APIToken:wz8SmD3JRSKz_0kNbdSejSQ_Jk92EVOqRU6CPU_O"=
        sends the HTTP header =X-Arbux-APIToken= set to the value of
        the API key that was set via the Sightline command line
      - =-d @input.json= tells cURL that the data to be sent can be
        found in the file named =input.json=
      - =https://leader.example.com/api/sp/alerts/12519/annotations/=
        #+INDEX: /alerts/ endpoint!annotations
        which is the URL (hostname and endpoint) to which the data
        will be sent.  In this case, it is an alert annotation for the
        alert with id 12519.

     Although this will be discussed in more depth later in this book,
     the format of the data for an alert annotation (in this example,
     the contents of the file =input.json=) is:
     #+BEGIN_SRC json
       {
           "data": {
               "attributes": {
                   "author": "The name of the author",
                   "text": "The text of the annotation"
               }
           }
       }
     #+END_SRC

     Using the HTTP verb =PATCH= to change data is very similar to how
     the =POST= verb is used.

     Successful API =POST= and =PATCH= requests will return all of the
     data for the object that was created or modified along with
     either a =200 OK= or =201 Created= status code.

**** Deleting data with cURL

     An example of using cURL to delete data from Sightline via the
     Sightline REST API is:
     #+INDEX: /routers/ endpoint
     #+BEGIN_SRC sh :results output :exports code
       curl --cacert certfile --ssl -X DELETE -H "Content-Type:application/vnd.api+json" -H "X-Arbux-APIToken:wz8SmD3JRSKz_0kNbdSejSQ_Jk92EVOqRU6CPU_O" https://leader.example.com/api/sp/routers/132
     #+END_SRC

     In order of appearance, the options used in the =curl= command
     above are:
      - =--cacert certfile= tells =curl= to use the SSL certificate
        called =certfile= (more on this later)
      - =--ssl= tells =curl= to use Secure Sockets Layer (SSL) for its
        connection
      - =-X DELETE= tells =curl= to issue an HTTP =DELETE= command
        (more on this later, too)
      - =-H "Content-Type:application/vnd.api+json"= sends the HTTP
        header =Content-Type= set to the value of
        =application/vnd.api+json=.  Other than the endpoints at
        =/insight/=, all of the Sightline API uses this content type
      - =-H
        "X-Arbux-APIToken:wz8SmD3JRSKz_0kNbdSejSQ_Jk92EVOqRU6CPU_O"=
        sends the HTTP header =X-Arbux-APIToken= set to the value of
        the API key that was set via the Sightline command line
      - =https://leader.example.com/api/sp/routers/132= which is the
        #+INDEX: /routers/ endpoint
        URL (hostname and endpoint) that identifies what resource in
        Sightline will be deleted.  In this case, it is the router
        with id 132.

     API delete requests do not return any data, since the Sightline
     object you were acting on is now gone.  The HTTP status code that
     will be returned for successfully deletions is =204 No Content=.

*** HTTPie
    #+INDEX: httpie
    HTTPie is a Python program that is much newer than cURL (although
    has still seen a lot of development; the initial commit to Github
    was on 25 February 2012) and has some conveniences that cURL
    doesn't.  The biggest convenience, in my opinion, is the ability
    to save configuration data for a host, and select which host
    configuration to use when the the command is run.

    HTTPie is open source and available for free from
    https://httpie.org/ or via package managers for your platform.
    HTTPie is based on Python, so is available for any platform that
    supports Python.  There are installation instructions for MacOS,
    Linux, and Windows at https://httpie.org/doc#installation.

    Among the Arbor Networks engineers, HTTPie is widely used.

**** Configuring HTTPie

     There is much more information on the configuration of HTTPie in
     its online documentation, but the two things that might be useful
     are setting the defaults and creating some sessions.

     HTTPie's configuration is kept in a simple JSON-formatted file
     called =config.json= (see
     https://httpie.org/doc#config-file-location for more); a good
     start for configuration is:
     #+BEGIN_SRC json
       {
           "__meta__": {
               "about": "HTTPie configuration file",
               "help": "https://github.com/jkbrzt/httpie#config",
               "httpie": "0.9.4"
           },
           "default_options": [
               "--verify=/path/to/a/ssl/certfile",
               "--session=sightline-leader.my.example.com",
               "--timeout=60",
               "--follow"
           ]
       }
     #+END_SRC
     The ="__meta__"= section comes with HTTPie, and the default
     options set:
      - the path to a SSL certificate file bundle
      - the default connection information (what HTTPie calls a
        session)
      - a useful timeout value of 60 seconds
      - the option to follow HTTP redirects

     Once you have created =config.json= you can add some information
     to the saved session by typing all of the information once on the
     command line.  The information the Sightline REST API needs is
     the =Content-Type= and =X-Arbux-APIToken= headers; this is
     entered by typing:
     #+BEGIN_SRC sh :results output :exports code
     http https://sightline-leader.example.com/api/sp X-Arbux-APIToken:wz8SmD3JRSKz_0kNbdSejSQ_Jk92EVOqRU6CPU_O Content-Type:application/vnd.api+json
     #+END_SRC
     (replacing, of course, the hostname and API token in that example
     with your own hostname and API token).  After you do that once,
     you can then type:
     #+BEGIN_SRC sh :results output :exports code
     http https://sightline-leader.my.comany.com/api/sp
     #+END_SRC
     and the configuration will read the data from the saved file.
     Save session information is in the =.httpie/sessions/= directory
     and are JSON files in directories named after the host.

**** Getting data with HTTPie

     Replicating the cURL example from earlier, getting the Sightline
     REST API index using HTTPie, after following the configuration
     steps, is done using the command:
     #+BEGIN_SRC sh :results output :exports code
     http GET https://sightline-leader.example.com/api/sp/
     #+END_SRC

     When HTTPie detects that is is writing to the terminal, it will
     include additional information that might look about like:
     #+BEGIN_VERSE
       HTTP/1.1 200 OK
       Connection: Keep-Alive
       Content-Length: 1593
       Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval'
       Content-Type: application/vnd.api+json
       Date: Tue, 01 Aug 2017 00:55:31 GMT
       Keep-Alive: timeout=15, max=10000
       P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR TAIa OUR NOR UNI"
       Server: Apache
       Strict-Transport-Security: max-age=1261440000
       Via: 1.1 127.0.0.1
       X-Frame-Options: SAMEORIGIN
     #+END_VERSE
     when HTTPie thinks it is directing its output somewhere else, it
     will not print this information; if you want to override HTTPie's
     decisions about this, there are command-line options to do so.

**** Sending data with HTTPie

     An example of using HTTPie to send the same data to Sightline we
     sent via the Sightline REST API is using cURL earlier is (see
     =input.json= in the cURL example of sending data to Sightline):
     #+BEGIN_SRC sh :results output :exports code
     cat input.json | http POST http https://sightline-leader.example.com/api/sp/alerts/12519/annotations/
     #+END_SRC

     The two differences between getting and sending data to Sightline
     via the REST API using HTTPie are:
      - using the =POST= verb instead of the =GET= verb before the URL
      - the data you want to send to Sightline via the REST API is in
        the same format as in the cURL example, but it is piped into
        the =http= command

     To make changes to Sightline via the REST API, you can use the
     =PATCH= verb to HTTPie instead of =POST=.  There will be more
     examples of this later.

**** Deleting data with HTTPie

     Repeating the example of deleting data from the cURL section, the
     syntax for using HTTPie to delete data from Sightline via the
     Sightline REST API is:
     #+BEGIN_SRC sh :results output :exports code
       http DELETE https://sightline-leader.example.com/api/sp/routers/132
     #+END_SRC

     The Sightline REST API will return the HTTP status code =204 No Content=
     and HTTPie will print this if you aren't piping or redirecting
     the output somewhere else.

*** Postman
    #+INDEX: postman
    Postman is an application that provides a graphical user interface
    for working with REST APIs.  It is free to use the basic version,
    with the versions more suitable for development enterprises
    costing money.  Postman is available from
    https://www.getpostman.com/ for MacOS, Linux, and Windows.  It is
    also available in the Chrome App Store as a plug-in for the Google
    Chrome web browser[fn:2].

    Among the Arbor Networks engineers, Postman is widely used.

**** Configuring Postman

     If you are installing the Postman client there are three
     configuration settings you need to make before using it with the
     Sightline REST API; adding the certificate bundle and adding the
     =Content-Type= and =X-Arbux-APIToken= headers.  If you are using
     the Postman Chrome app, you don't need to add the certificates;
     Postman will use those in your browser, but you may still have to
     add them to your browser.

     To add the Sightline certificate bundle to the Postman
     application, select the wrench icon in the upper right part of
     the Postman window and choose Settings from the menu.  In the
     resulting window, choose the Certificates option from the top row
     of options, then click Add Certificate. In the Host text entry
     field, type =*.mydomain.com= (replacing =mydomain.com= with the
     domain where your Sightline leader is), and in the CRT File text
     entry field type the path to the certificate bundle for your
     Sightline environment.  It should look something like what is
     shown in Figure [[fig:postman-cert-config]].
     #+CAPTION: The Postman certificate configuration window should
     #+CAPTION: look similar to this, with your information filled in;
     #+CAPTION: if you are using the Chrome app, you won't see the
     #+CAPTION: Certificates option in the top row; Postman will use
     #+CAPTION: your browser's certificates.
     #+NAME:    fig:postman-cert-config
     [[./images/postman-cert-config.png]]

     For both the application and Chrome app you will need to set the
     =Content-Type= and =X-Arbux-APIToken= headers.  This is done in
     the Headers section that is immediately below the URL entry field
     (after making a request, there will be another Headers section
     for the response).  You simply type in each key and the values
     for them.  For all of the Sightline REST API endpoints /except/
     those under =/insight/= you must set =Content-Type= to
     =application/vnd+api.json=; for the endpoints under =/insight/=
     you must set =Content-Type= to =application/json=.

**** Getting data with Postman

     Following the cURL and HTTPie examples, to get the Sightline REST
     API index using Postman you make sure that =GET= is selected to
     the left of the text entry box that says "Enter request URL",
     then enter the URL for the index endpoint
     (=https://sightline-leader.example.com/api/sp/=) and press the Send
     button. The results (the body, cookies, and headers) will appear
     in the bottom pane.  It will look something like what is shown in
     Figure [[fig:postman-GET-index]].
     #+CAPTION: Retrieving data from the Sightline REST API using Postman
     #+CAPTION: is done by setting the two headers shown, entering
     #+CAPTION: a URL, and pressing the Send button.  The data
     #+CAPTION: retrieved is displayed in the lower pane.
     #+NAME:    fig:postman-GET-index
     [[./images/postman-GET-index.png]]

**** Sending data with Postman

     Once again using the same =input.json= file from earlier, we will
     set an annotation on an alert, this time using Postman.

     The steps in Postman to get ready to send date are:
      - change the HTTP verb to the left of the URL from =GET= to
        =POST=
      - enter the URL to which you are sending the data in the text
        entry box that says "Enter request URL"
      - select Body from the items below the URL
      - select raw from the items above the text entry box
      - select JSON from the dropdown to the right of type selections
      - enter the JSON body you are sending in the text box.

     Having done all of those steps, you should have something that
     looks like Figure [[fig:postman-POST-annotation]].
     #+CAPTION: Sending data to Sightline using the REST API and Postman
     #+CAPTION: is done by setting the HTTP verb to POST, filling
     #+CAPTION: in the URL, selecting the Body option, then the raw
     #+CAPTION: option and the JSON type, and filling in the JSON
     #+CAPTION: body.  Once that is complete, press the Send button.
     #+NAME:    fig:postman-POST-annotation
     [[./images/postman-POST-annotation.png]]

     After sending the body with the correct settings, the results
     will appear in the bottom text area in Postman.

**** Deleting data with Postman

     Repeating the example of deleting data from the cURL and HTTPie
     sections, the method for using Postman to delete data from
     Sightline via the Sightline REST API is to enter the URL for the
     object you want to delete, change the HTTP verb to Delete, and
     press the Send button.

     The Sightline REST API will return the HTTP status code =204 No
     Content= and no body content.

     After a successful DELETE operation you should have something
     that looks like Figure [[fig:postman-DELETE-router]].
     #+CAPTION: Deleting data from Sightline using the REST API and Postman
     #+CAPTION: is done by selecting the =DELETE= HTTP verb from the
     #+CAPTION: menu, entering the URL of the item to be deleted and
     #+CAPTION: pressing Send.  There will be no content in returned
     #+CAPTION: but on the right side just above the (empty) returned
     #+CAPTION: data box the status will read =204 NO CONTENT=.
     #+NAME:    fig:postman-DELETE-router
     [[./images/postman-DELETE-router.png]]

*** =jq=
    #+INDEX: jq
    =jq= is a JSON parsing and manipulation tool in the spirit of
    what =sed=[fn:3] and =awk=[fn:4] are for text.

    =jq= is free and open-source; it is available at
    https://stedolan.github.io/jq/ for MacOS, Linux, and Windows or
    via package managers for your platform.  The C source code and
    build instructions are available at https://github.com/stedolan/jq
    for other platforms.

    =jq= is very powerful, but complicated.  It can be used to extract
    subsets of data from JSON input, search for keys or values in JSON
    data and only print the objects that match the search criteria,
    select and recast data from JSON input into different JSON
    output.  The complete manual is available at the =jq= website, but
    we will provide a few examples of using =jq= with the JSON from
    the Sightline REST API.

**** Extracting only names, descriptions, and ids of routers into a new JSON format

     The HTTPie command to get the router information from Sightline
     using the REST API is:
     #+BEGIN_SRC sh :results output :exports code
     http https://leader.example.com/api/sp/routers/
     #+END_SRC
     but on a system with 12 routers this results in 503 lines of JSON
     output.  If all you need is the id, name, and description of each
     router, that is a lot of information to deal with.

     Using =jq= we can extract the 36 pieces of data that we need.

     Looking at the original output from the =/routers/= endpoint, we
     need to make note of two things: the information we want is in a
     list of objects in the ="data"= object; the fields we want are at
     the top level of each data object (="id"=) and in the
     ="attributes"= sub-object for each data object.

     The first thing we can do is have =jq= print each object in the
     ="data"= list by giving it the filter =.data[]= which means "from
     the top level (=.=) print every element =[]= in the ="data"=
     array".  In practice this looks like:
     #+BEGIN_SRC sh :results output :exports code
       http https://leader.example.com/api/sp/routers/ | jq '.data[]'
     #+END_SRC
     The =jq= filter is in single-quotes to prevent the square
     brackets from being interpreted by the shell.

     =jq= uses periods to denote the JSON hierarchy (that's why
     =.data= starts with a period, it is the root of the JSON tree),
     the pipe (=|=) character to chain together its filters, and
     commas to group elements together for selection.

     So the next thing we can do is extract one element from the JSON
     output of the Sightline REST API by adding it to the =.data[]=
     filter.  To get the names of the routers we can add
     =.attributes.name= (remember, ="name"= is in the ="attributes"=
     subobject of data.  On the command line this looks like:
     #+BEGIN_SRC sh :results output :exports code
       http https://leader.example.com/api/sp/routers/ | jq '.data[].attributes.name'
     #+END_SRC
     This will print a list of the names of all of the routers
     configured in Sightline.  This is part of our original goal, but
     we still also want the id and description of the routers.

     To select more than one element, =jq= supports sending each list
     item over which it is iterating to a group of elements for
     selection.  To get the router id and description along with the
     name, we can type:
     #+BEGIN_SRC sh :results output :exports code
       http https://leader.example.com/api/sp/routers/ | jq '.data[] | .id,.attributes.name,.attributes.description'
     #+END_SRC
     This will then print a list that is something like:
     #+LATEX: \scriptsize
     #+BEGIN_EXAMPLE
       "121"
       "rtr1.nyc"
       "a router in New York"
       "122"
       "rtr2.chi"
       "a router in Chicago"
       "123"
       "rtr3.lax"
       "a router in Los Angeles"
       "124"
       "pigeon.net"
       "See RFC 1149"
     #+END_EXAMPLE
     #+LATEX: \normalsize
     where the order of the elements is the same order as they were
     requested in the filter.  But this isn't very easy to read, and
     is not very useful as input to computer programs.  =jq= can do
     better.

     To make JSON-compliant output that is easy to read and easy for
     another computer program to ingest, =jq= needs to know how things
     should be grouped.
     #+BEGIN_SRC sh :results output :exports code
     http https://leader.example.com/api/sp/routers/ | jq '{"routers": [.data[] | {id:.id,name:.attributes.name,description:.attributes.description}]}'
     #+END_SRC
     will print a list that looks something like:
     #+BEGIN_SRC json
       {
           "routers": [
               {
                   "id": "121",
                   "name": "rtr1.nyc",
                   "description": "a router in New York"
               },
               {
                   "id": "122",
                   "name": "rtr2.chi",
                   "description": "a router in Chicago"
               },
               {
                   "id": "123",
                   "name": "rtr3.lax",
                   "description": "a router in Los Angeles"
               },
               {
                   "id": "124",
                   "name": "pigeon.net",
                   "description": "See RFC 1149"
               }
           ]
       }
     #+END_SRC

     While this example is for four routers, with the original example
     of 12 routers we have gone from 503 lines of JSON output to 64
     lines, removing the 87% of the data we didn't need using one
     filter in =jq=.

**** Extracting alerts that have a severity percentage above 200

     =jq= can also look for certain properties of objects and print
     only the objects that have those properties.

     For example, a typical alert from the Sightline REST API looks
     like:
     #+BEGIN_SRC json
       {
           "data": {
               "attributes": {
                   "alert_class": "dos",
                   "alert_type": "dos_host_detection",
                   "classification": "Possible Attack",
                   "importance": 2,
                   "ongoing": true,
                   "start_time": "2017-08-01T19:44:45+00:00",
                   "subobject": {
                       "fast_detected": false,
                       "host_address": "192.168.12.203",
                       "impact_boundary": "rtr1.nyc",
                       "impact_bps": 8251040,
                       "impact_pps": 3010,
                       "ip_version": 4,
                       "misuse_types": [
                           "icmp",
                           "total",
                           "dns",
                           "udp"
                       ],
                       "severity_percent": 153,
                       "severity_threshold": 1000,
                       "severity_unit": "bps",
                       "summary_url": "/page?id=profile_summary&gid=154"
                   }
               },
               "id": "799318",
               "links": {
                   "self": "https://leader.example.com/api/sp/v3/alerts/799318"
               },
               "relationships": {
                   "annotations": {
                       "data": [
                           {
                               "id": "1492098",
                               "type": "alert_annotation"
                           },
                           {
                               "id": "1492097",
                               "type": "alert_annotation"
                           },
                           {
                               "id": "1492096",
                               "type": "alert_annotation"
                           },
                           {
                               "id": "1492095",
                               "type": "alert_annotation"
                           },
                           {
                               "id": "1492094",
                               "type": "alert_annotation"
                           },
                           {
                               "id": "1492093",
                               "type": "alert_annotation"
                           }
                       ],
                       "links": {
                           "related": "https://leader.example.com/api/sp/v3/alerts/799318/annotations/"
                       }
                   },
                   "device": {
                       "data": {
                           "id": "115",
                           "type": "device"
                       },
                       "links": {
                           "related": "https://leader.example.com/api/sp/v3/devices/115"
                       }
                   },
                   "managed_object": {
                       "data": {
                           "id": "154",
                           "type": "managed_object"
                       },
                       "links": {
                           "related": "https://leader.example.com/api/sp/v3/managed_objects/154"
                       }
                   },
                   "packet_size_distribution": {
                       "data": {
                           "id": "packet-size-distribution-799318",
                           "type": "alert_packet_size_distribution"
                       },
                       "links": {
                           "related": "https://leader.example.com/api/sp/v3/alerts/799318/packet_size_distribution"
                       }
                   },
                   "patterns": {
                       "links": {
                           "related": "https://leader.example.com/api/sp/v3/alerts/799318/patterns/"
                       }
                   },
                   "router_traffic": {
                       "links": {
                           "related": "https://leader.example.com/api/sp/v3/alerts/799318/router_traffic/"
                       }
                   },
                   "traffic": {
                       "data": {
                           "id": "alert-traffic-799318",
                           "type": "alert_traffic"
                       },
                       "links": {
                           "related": "https://leader.example.com/api/sp/v3/alerts/799318/traffic"
                       }
                   }
               },
               "type": "alert"
           },
           "links": {
               "self": "https://leader.example.com/api/sp/v3/alerts/799318"
           },
           "meta": {
               "api": "SP",
               "api_version": "2",
               "sp_build_id": "HHAB",
               "sp_version": "8.3"
           }
       }
     #+END_SRC
     which is a lot of information to parse; using =jq= you can filter
     the data after the API returns it to you (there is some filtering
     available via the API that happens on the Sightline side before
     returning data to you, but it is limited; this will be discussed
     later).

     If you want only the alerts out of the most recent 50 that have
     severity percents (in =jq= path representation,
     =.data[].attributes.subobject.severity_percent= greater than 200,
     =jq= can select those alerts.

     The first step is the same as it was in the previous example, get
     each object out of the data list:
     #+BEGIN_SRC sh :results output :exports code
     http https://leader.example.com/api/sp/alerts/ | jq '.data[]'
     #+END_SRC

     The second step is to make the selection using =jq='s pipe
     functionality and put the results into a list by adding square
     brackets around the whole statement:
     #+BEGIN_SRC sh :results output :exports code
     http https://leader.example.com/api/sp/alerts/ | jq '[.data[] | select(.attributes.subobject.severity_percent>200)]'
     #+END_SRC

     To verify that this is returning only alerts with a severity
     percent greater than 200 we can add =|
     .[].attributes.subobject.severity_percent= to the query
     #+BEGIN_SRC sh :results output :exports both
     http GET https://leader.example.com/api/sp/alerts/ | jq '[.data[] | select(.attributes.subobject.severity_percent>200)] | .[].attributes.subobject.severity_percent'
     #+END_SRC

     #+RESULTS:
     : 301
     : 374
     : 262
     : 342
     : 374
     : 402
     : 342
     : 443
     : 373

     These are only two examples of what =jq= can help you with when
     you are faced with a lot of JSON data, the manual and some
     experimentation will be very useful in using =jq= in your
     particular environment.

** The Python Environment
   #+INDEX: python
   Most of the examples in this book will be in the Python
   (http://www.python.org) programming language---it is an
   easy-to-read language even if you aren't familiar with it; Python
   is available for nearly every operating system; and it includes
   nearly everything you need ("The Python source distribution has
   long maintained the philosophy of "batteries included" -- having a
   rich and versatile standard library which is immediately available,
   without making the user download separate packages. This gives the
   Python language a head start in many projects.").

   A standard Python installation includes everything you need to
   access the Sightline REST API and process data from it---an HTTP
   library (=httplib=) and a JSON library (=json=).  However, the
   =httplib= documentation (at
   https://docs.python.org/2/library/httplib.html) says "The Requests
   package is recommended for a higher-level HTTP client interface."

   The examples in this book will make significant use of the Requests
   library; you will be able to follow along with nearly all of the
   examples using only that additional library.  If we use other
   libraries (for example, for accessing databases, creating web
   pages, etc.) we will go into more depth about those at the time.

*** The =requests= library
    #+INDEX: python!requests
    The Python Requests library documentation at
    https://requests.readthedocs.io/ purports:
    #+BEGIN_QUOTE
    Requests is the only Non-GMO HTTP library for Python, safe for
    human consumption.
    #+END_QUOTE
    and warns:
    #+BEGIN_QUOTE
    Recreational use of the Python standard library for HTTP may
    result in dangerous side-effects, including: security
    vulnerabilities, verbose code, reinventing the wheel, constantly
    reading documentation, depression, headaches, or even death.
    #+END_QUOTE

    Installation instructions for the =requests= library are at the
    =readthedocs= site at
    https://requests.readthedocs.io/en/master/user/install/, but
    mostly comprise =pip install requests=.  (And if you haven't got
    =pip=, see
    http://docs.python-guide.org/en/latest/starting/installation/ for
    installing it and a few other useful things).

    Once you think you have the =requests= library installed, a simple
    test is to follow the steps in this example (=%= is a Mac or Linux
    shell prompt, and =>>>= is the interactive Python prompt):
    #+LATEX: \scriptsize
    #+BEGIN_EXAMPLE
      % python
      Python 2.7 (blah blah blah)
      Type "help", "copyright", "credits" or "license" for more information.
      >>> import requests
      >>> rg = requests.get("http://www.google.com")
      >>> rg
      >>> <Response [200]>
      >>> rg.headers
      >>> {'Content-Length': '4740', 'X-XSS-Protection': '1; mode=block',
          'Content-Encoding': 'gzip', 'Set-Cookie':
          'NID=110=BXSpW6kxChyqif9p3Q0yFhL75QRsh0-C3vjFY_uTwpS-ANLlJsTjpC_9LypwgClOwL36COwCH6oAIBPfgcP-vZ4mwhpSqwM_UuG0pOpEGfDMDSKEtpK0mdHDaIqsEjR7;
          expires=Sat, 24-Feb-2018 05:12:11 GMT; path=/;
          domain=.google.co.nz; HttpOnly', 'Expires': '-1', 'Server': 'gws',
          'Cache-Control': 'private, max-age=0', 'Date': 'Fri, 25 Aug 2017
          05:12:11 GMT', 'P3P': 'CP="This is not a P3P policy! See
          https://www.google.com/support/accounts/answer/151657?hl=en for
          more info."', 'Content-Type': 'text/html; charset=ISO-8859-1',
          'X-Frame-Options': 'SAMEORIGIN'}
    #+END_EXAMPLE
    #+LATEX: \normalsize
    If you get an error after you type =import requests= you haven't
    installed requests correctly, and may want to consult a local
    expert for help. If you get a response other than =<Response
    [200]>= after typing the =requests.get= line, you may not have
    access to either http://www.google.com or to the Internet, both of
    which would be a little odd, frankly, but that's where you should
    start looking.

** Summary

   At this point, you should be able to access your Sightline Leader's
   REST API using at least one of =curl=, =httpie=, or =postman=.  You
   might also be able to extract some sort of useful information using
   the =jq= tool.

   You should be able to make a simple HTTP request using Python and
   the Requests library.

   The rest of this book will be examples of using these tools (and
   some examples in other programming languages) demonstrating how to
   do things with the Sightline REST API that will hopefully be a
   useful starting point for your own uses of the API.

* Reports

  The chapter describes how to produce reports from the data available
  from the Sightline REST API.  This certainly isn't an exhaustive
  list of reports you can produce, and the most interesting reports
  will be those you create by combining data from Sightline with data
  from other sources.

  The difference between a report program and either configuration or
  operational programs is that a report program only fetches data from
  Sightline, it doesn't not change the state of Sightline in any way
  (in programmatic terms, the only HTTP verb used in these examples is
  =GET=).

** Example: Time between an Alert and a Mitigation
   #+INDEX: /alerts/ endpoint
   #+INDEX: /mitigations/ endpoint
   Arbor Networks Sightline can alert you to various kinds of network
   attacks by monitoring the network traffic across hundreds of
   routers and looking for anomalous behavior.  In combination with
   Arbor Networks TMS applicances, these attacks can be mitigated by
   directing the odd traffic through a TMS for inspection and, if
   needed, cleaning.

   Sightline and TMS support mitigating the anomalous traffic
   manually, where a network operator notices the alert, applies some
   other metrics to it, and then either decides to direct that traffic
   to a TMS or not.  Monitoring the time between an alert and the
   manual mitigation can be useful.  In addition, Sightline and TMS
   support automatic mitigation of traffic that generates an alert.
   Monitoring the time between the alert and the automatic mitigation
   can also be useful.

   The steps to look at this are:
    - establish a time period over which you want to produce this
      report
    - collect the mitigations that were started in that time frame
      using the REST API
    - extract from the mitigation information the related alerts
    - collect the alert information about those specific alerts using
      the REST API
    - for the group of manually started mitigations, collect the
      difference in start times for each mitigation
    - do the same for the group of automatically started mitigations

   Python supports command-line options very gracefully using the
   included =argparse= library
   (https://docs.python.org/2.7/library/argparse.html) but, for the
   purpose of this example, we will simply hard-code what would
   normally be options.

   #+INCLUDE: code-examples/alert-to-mitigation-time.py src python
   #+CAPTION: code-examples/alert-to-mitigation-time.py

   #+LATEX: \tiny
   #+begin_example
   The time range for the report is
                    from: Tue Aug 29 10:45:05 2017
                      to: Tue Sep 12 10:45:05 2017
   Out of 27 mitigations on leader.example.com, 24 have associated alerts
        Mit. Started By | Mit. Type  | Secs to Mit | Alert Ids
   -------------------- | ---------- | ----------- | ------------------
                  admin | tms        |       211.0 | 71
                        |            |       213.0 | 72
                        |            |       372.0 | 77
                        |            |       481.0 | 65
                        |            |       488.0 | 66
                        |            |       497.0 | 67
                        |            |       504.0 | 68
                        |            |       551.0 | 1913
                        |            |       558.0 | 1912
                        |            |       740.0 | 75
                        |            |       744.0 | 388
                        |            |       819.0 | 387
                        |            |       843.0 | 1910
                        |            |      1255.0 | 1909
                        |            |      1338.0 | 38
                        |            |      1354.0 | 37
                        |            |      1363.0 | 36
                        |            |      1373.0 | 35
                        |            |      2527.0 | 381
                        |            |      4366.0 | 1865
                        |            |     25051.0 | 294
                        |            |     25058.0 | 295
                        |            |     25065.0 | 292
                        |            |     25072.0 | 293
   #+end_example
   #+LATEX: \normalsize

** Example: The Collector with the most system alerts
   #+INDEX: /alerts/ endpoint
   #+INDEX: /devices/ endpoint
   When operating an Arbor Sightline/TMS deployment, looking at system
   errors can helpful in diagnosing performance problems.  The
   following Python program will gather a list of alerts in the alert
   class "system" and group them by appliance, then print them sorted
   by the number of alerts for each appliance.

   #+INCLUDE: code-examples/ragu-python-collector-sys-alerts-ex.py src python

   The output from this is a list of Sightline appliances with the
   most system alerts, that looks something like:

   #+LATEX: \tiny
   #+BEGIN_EXAMPLE
     ==== System Alert Count ===== Device Name ======== Device Type ======== IP Address =========
          79                       my-leader            pi                   192.168.3.14
          42                       my-tra1              cp                   192.168.3.15
          19                       my-tra2              cp                   192.168.3.16
          14                       my-tms               tms                  192.168.3.17
          7                        my-backupleader      pi                   192.168.26.32
   #+END_EXAMPLE
   #+LATEX: \normalsize
** Example: Plotting Alert Data
   #+INDEX: plot
   #+INDEX: png
   #+INDEX: SOAP API
   #+INDEX: matplotlib
   #+INDEX: /alerts/ endpoint!router traffic
   #+INDEX: python!arrow
   The SOAP API can give you PNG files that you can use in your
   reports.  The REST API does not do that, but you can make your own
   using Python and the additional library =matplotlib=[fn:5].  This example
   also introduces the =arrow= Python package[fn:6], which makes it easier
   to deal with dates and time; it claims to offer "a sensible,
   human-friendly approach to creating, manipulating, formatting and
   converting dates, times, and timestamps" and, in this author's
   opinion, it delivers on that.

   The steps to look at this are:
    - choose an alert for which the traffic across the router is
      interesting
    - get the =router_traffic= data from the API buy replacing the =X=
      in this URL fragment with the alert ID you are interested in:
      - =/api/sp/alerts/X/router_traffic/=
    - extract from the alert information the time-series data for
      router traffic
    - turn the data into a time-series that =matplotlib= can consume
      and write out a file for each router involved

   This Python program demonstrates reading alert data and using
   =matplotlib= to make a plot of that data.  The plot it creates
   using the sample data monitored by Sightline is in Figure
   [[fig:alert-data-plot]].
   #+CAPTION: The SOAP API to Sightline can produce PNG files containing plots
   #+CAPTION: of alert traffic data.  The REST API does not offer that
   #+CAPTION: exact functionality, but creating plots using Python and
   #+CAPTION: the =matplotlib= library isn't too difficult and offers
   #+CAPTION: many more output format and styling options for the
   #+CAPTION: plots.
   #+NAME:    fig:alert-data-plot
   [[./images/alert-data-plot.png]]

   #+INCLUDE: code-examples/ragu-python-png-output.py src python
** Example: Alert Details Comparison Summary                       :noexport:
   - top_N example
   - clustering
   - some really vague hand-wavey thing that looks at all of the
     things in the =/alert/<alert_id>/traffic= endpoint and does a
     thing with them
** Example: Using Alert Details to create radar plots of alert characteristics
   #+INDEX: /alerts/ endpoint
   #+INDEX: plot!radar
   #+INDEX: matplotlib
   #+INDEX: pandas

   As of SP8.4 APIv4 the =/alerts/= endpoint has the option of
   including all of the information that Sightline collects about
   alerts.  If you are familiar with the Sightline/SP UI, this is the
   data that is used to create the graphs and tables shown on the
   alert summary, traffic details, routers, and annotation tabs of the
   alert page.

   The =/alerts/= endpoint includes relationships to information about
   the alert; the ="relationships"= object in the alert includes:
   #+BEGIN_SRC json
     {
         "relationships": {
             "packet_size_distribution": {
                 "data": {
                     "id": "packet-size-distribution-<alert_id>",
                     "type": "alert_packet_size_distribution"
                 },
                 "links": {
                     "related": "https://sightline-leader.example.com/api/sp/v4/alerts/<alert_id>/packet_size_distribution"
                 }
             },
             "patterns": {
                 "links": {
                     "related": "https://sightline-leader.example.com/api/sp/v4/alerts/<alert_id>/patterns/"
                 }
             },
             "router_traffic": {
                 "links": {
                     "related": "https://sightline-leader.example.com/api/sp/v4/alerts/<alert_id>/router_traffic/"
                 }
             },
             "source_ip_addresses": {
                 "data": {
                     "id": "source-ip-addresses-<alert_id>",
                     "type": "alert_source_ip_addresses"
                 },
                 "links": {
                     "related": "https://sightline-leader.example.com/api/sp/v4/alerts/<alert_id>/source_ip_addresses"
                 }
             },
             "thresholds": {
                 "links": {
                     "related": "https://sightline-leader.example.com/api/sp/v4/alerts/<alert_id>/misuse_types_thresholds/"
                 }
             },
             "traffic": {
                 "data": {
                     "id": "alert-traffic-<alert_id>",
                     "type": "alert_traffic"
                 },
                 "links": {
                     "related": "https://sightline-leader.example.com/api/sp/v4/alerts/<alert_id>/traffic"
                 }
             }
         }
     }
   #+END_SRC
   each of those relationships can be referenced in turn but, to
   minimize the number of HTTP requests required, the =/alerts/=
   endpoint (among other endpoints; see the online API documentation)
   also supports the =include= URL query parameter to include related
   data in the first request to the API.  To use the =include= URL
   query parameter append ~?include=rel_1,rel_2,rel_3~ to the API URL,
   where each =rel_N= parameter is the name of the relationship (for
   example, =source_ip_addresses=, =thresholds=, and =traffic=).  The
   results of that API request will include a new list called
   =included= that is objects that comprise the =attributes= and
   =relationships= objects for each included element.  This list has a
   format similar to:
   #+BEGIN_SRC json
     {
         "included": [
             {
                 "relationships": {
                     "router": {
                         "data": {
                             "type": "router",
                             "id": "<router_id>"
                         },
                         "links": {
                             "related": "<link_to_router>"
                         }
                     },
                     "parent": {
                         "data": {
                             "type": "alert",
                             "id": "<alert_id>"
                         },
                         "links": {
                             "related": "<alert_id_url>"
                         }
                     }
                 },
                 "attributes": {
                     "content": "<alert_pattern_data>"
                 },
                 "type": "alert_patterns",
                 "id": "<alert_id>-router:<router_id+cidr_port",
                 "links": {
                     "self": "<self_link>"
                 }
             },
             {
                     "router": {
                         "data": {
                             "type": "router",
                             "id": "<router_id>"
                         },
                         "links": {
                             "related": "<link_to_router>"
                         }
                     },
                     "parent": {
                         "data": {
                             "type": "alert",
                             "id": "<alert_id>"
                         },
                         "links": {
                             "related": "<alert_id_url>"
                         }
                     }
                 "type": "alert_patterns",
                 "id": "<alert_id>-router:<router_id+cidr_port",
                 "links": {
                     "self": "<self_link>"
                 }
             }
         ]
     }
   #+END_SRC

   For the alert endpoint, this additional data available via the API
   can allow for different representations of alerts, and this example
   gathers some of this data and creates radar or spider plots out of
   that data, displaying 12 alerts on one page for quick visual
   analysis of them.  It is easy to pick out the alerts that are
   similar to each other, or those that are unique among the 12.

   #+CAPTION: An example of using radar plots for comparing
   #+CAPTION: characteristics of alerts; the alert characteristics
   #+CAPTION: selected for this display are =impact_bps=,
   #+CAPTION: =impact_pps=, =severity_percent=, =misuse_types=,
   #+CAPTION: and =source_ips=.  The program that makes these
   #+CAPTION: can be easily modified to show other alert details
   #+CAPTION: in this format.
   [[file:images/cookbook-radar.png]]

   The Python program to make these plots makes use of a few extra
   Python packages:
     - matplotlib.pyplot
     - pandas
   both of these can be install using =easy_install= or =pip=.  For
   more information, they each have their own websites:
     - https://matplotlib.org/
     - http://pandas.pydata.org/

   #+INCLUDE: code-examples/radarplots.py src python

** Example: Attacks Grouped by CIDR Block
   #+INDEX: /alerts/ endpoint
   #+INDEX: cidrs
   #+INDEX: python!ipaddress
   #+INDEX: paging!recursion

   NETSCOUT|Arbor Sightline accumulates and stores a lot of data about
   network traffic and distributed denial of service (DDoS) attacks
   and presents this data in ways that have proven useful to network
   engineers and network security analysts.  That data can be used in
   many other ways by extracting it via the REST API and applying
   information specific to your needs.

   This example simply takes IP addresses from the alert data,
   aggregates them into CIDR blocks of a configurable size, and prints
   a simple report.  It uses the =ipaddress=[fn:9] Python library and
   is written for Python2; =ipaddress= is included with Python3, so
   this program is easily adapted for Python3.

   When run, this program recursively calls its function
   =get_attacked_addresses= to step through the pages of data from the
   =/alerts/= endpoint until the last item in the list of alerts on
   the current page is outside of the specified date rang, then puts
   those addresses into IPv4 or IPv6 CIDR blocks and counts them,
   finally printing a simple report.  All of that looks like this:
   #+BEGIN_EXAMPLE
     paging to page 2; # addresses so far: 0
     paging to page 3; # addresses so far: 35
     paging to page 4; # addresses so far: 72
     paging to page 5; # addresses so far: 100
     paging to page 6; # addresses so far: 108
     paging to page 7; # addresses so far: 126
     # addresses found between 2018-05-23T12:00:00+00:00 and 2018-05-23T23:00:00+00:00: 126
     --------------------------+----------
                        Subnet | # Attacks
     --------------------------+----------
                 10.100.2.0/24 |        1
                 149.39.0.0/24 |        6
                149.81.12.0/24 |       11
                151.107.2.0/24 |        5
              216.175.102.0/24 |       18
            3ffe:1:14:20::/116 |       60
               70.107.137.0/24 |       10
                85.94.160.0/24 |       15
   #+END_EXAMPLE

   #+INCLUDE: code-examples/attacked-cidrs.py src python

** Example: Filtering Mitigations by Alert ID
   #+INDEX: /mitigations/ endpoint
   #+INDEX: paging!recursion
   #+INDEX: relationships
   #+INDEX: alerts

   Sightline and SP up through version 9.0 does not offer a way to
   filter mitigations based on alert IDs.  However, this is often a
   useful thing to do.

   While we wait for filtering functionality to be added to Sightline
   natively, there is a brute-force method of doing this that pages
   through all of the running mitigations on the deployment and looks
   for the relationship to the alert you are searching for.

   The following Python program demonstrates paging through the
   mitigations on a deployment and checking for a specified alert in
   the relationship object.  It also demonstrates the use of
   =argparse= for command line arguments.

   The output from this program is the JSON directly from the API for
   each mitigation.

   #+INCLUDE: code-examples/mit-filter-by-alert.py src python


** Example: Differences in output between accounts with different authorization
   #+INDEX: /alerts/ endpoint
   #+INDEX: authorization
   #+INDEX: token

   As of SP 8.4 and API version 4, the REST API supports some amount
   of authorization based on the account used in the generation of the
   API token.  For example, if you have an MSSP user called
   =mssp_user= you can create an API token for them with the CLI
   command:
   #+BEGIN_SRC sh
   services aaa local apitoken generate mssp_user "mssp user - 26May2018"
   #+END_SRC
   note that the user name occurs right after the =generate= part of
   the command.

   After generating an API token for the =mssp_user= account, you also
   need create a capability group that has the =sp_restapi= token
   enabled.  This cannot be done with the =ms_user= (the default
   non-administrative capability group for managed services accounts)
   capability group because it is immutable, but that group can be
   duplicated using the =Copy= link in the UI, and the =sp_restapi=
   token can be enabled in the new capability group.  After that, you
   can add that as the user capability group to the account group that
   is associated with the =mssp_user= account.

   Not all of the endpoints are available to users without
   administrative access (tokens created with the user =admin=), and
   if an endpoint isn't available, your API client will receive the
   HTTP status =404 NOT FOUND=; this was intentionally chosen instead
   of =401 UNAUTHORIZED= or =403 FORBIDDEN= in order not to disclose
   parts of the API to unauthorized clients.

   To demonstrate the difference between accessing the same endpoint
   with different levels of authorization, this Python program makes
   the same request to the =/alerts/= endpoint but with different
   tokens, an =admin= token and a token for an MSSP user:

   #+INCLUDE: code-examples/authorization-example.py src python

   the output of this on a test system is:
   #+BEGIN_EXAMPLE
     Getting alerts for the admin account
     52458      collector_down
     52457      collector_down
     52456      dos_profiled_router
     52455      dos_profiled_router
     52454      collector_down
     52453      collector_down
     52452      collector_down
     52451      collector_down
     52450      collector_down
     52449      collector_down
     52448      collector_down
     52447      collector_down
     52446      collector_down
     52445      collector_down
     52444      collector_down
     Getting alerts for the mssp_user account
     52414      dos_host_detection      IP Fragmentation, Total Traffic, UDP
     52405      dos_host_detection      TCP SYN, Total Traffic
     52404      dos_host_detection      TCP SYN, Total Traffic
     52401      dos_host_detection      TCP SYN, Total Traffic
     52400      dos_host_detection      TCP SYN, Total Traffic
     52313      dos_host_detection      TCP SYN, Total Traffic
     52312      dos_host_detection      TCP SYN, Total Traffic
     52309      dos_host_detection      TCP SYN, Total Traffic
     52308      dos_host_detection      TCP SYN, Total Traffic
     52220      dos_host_detection      TCP SYN, Total Traffic
     52219      dos_host_detection      TCP SYN, Total Traffic
     52216      dos_host_detection      TCP SYN, Total Traffic
     52215      dos_host_detection      TCP SYN, Total Traffic
     52203      dos_host_detection      IP Fragmentation, Total Traffic, UDP
     52127      dos_host_detection      TCP SYN, Total Traffic
   #+END_EXAMPLE

   The system alerts are only available to the administrative account,
   and the MSSP user account only sees the  =dos_host_detection=
   alerts for the managed objects it is scoped to.

   Because subobjects of the results of endpoints are not yet scoped,
   if any part of the results from an endpoint are restricted from
   view by a non-administrative user, the entirety of the results of
   the endpoint are not displayed, and instead a =404 NOT FOUND= HTTP
   status code is returned.  This behavior extends to use of the
   =?include= query parameter; if your API query requests the
   inclusion of data from an endpoint it is not authorized to access,
   the entire query will result in a =404 NOT FOUND= HTTP status code
   and no data will be returned.

   This is documented in more detail at
   https://sightline-leader.example.com/api/sp/doc/v4/endpoints.html#authorization.

** Using the Sightline REST API to write a client that supports caching (or Why the Sub-Object JSON is so Deeply Nested)
   #+INDEX: /alerts/ endpoint
   #+INDEX: /alerts/ endpoint!sub-objects
   #+INDEX: cache
   #+INDEX: caching
   #+INDEX: design

   The Sightline REST API is written so that its output for objects
   that have multiple sub-endpoints or whose output is affected by URL
   parameters can be combined without having to restructure the data
   that you already have or the new data that was just returned.  This
   is useful when your client needs to cache data or wants to create
   data sets by assembling the relevant data from API sub-endpoints or
   different URL parameters.  We aren't going to provide a full
   example of a caching client in this section, but we will describe
   how this could be done using the Sightline REST API and you will
   see how the data from the sub-endpoints or different URL parameters
   fits into the JSON object that comes from the top-level endpoint.

   The general idea is that the Sightline REST API can return data
   that is different based on URL parameters and can return partial
   data if the =?include= parameter isn't used or if not all of the
   sub-endpoint relationships are retrieved.  The data returned in
   either of those cases can be added to the initial data returned by
   the =/alerts/<alert_id>= endpoint without the need to restructure
   the data from either API call.

   The ease of combining data simplfies the process of making an API
   client that caches data for improved client responsiveness.  The
   logic flow is shown in the flowchart below.
   #+NAME: cachingflow
   #+BEGIN_SRC ditaa :file ./images/cachingflow.png :exports results

     +---------------+
     |               |
     |   End User    |<--+-+
     |               |   | |
     +-------+-------+   | |
             |           | |
             |           | |
          Request      Response
             |           | |
             v           | |
     +---------------+   | |
     |               |   | |
     |   API Client  |   | |
     |    Program    |   | |
     |               |   | |
     +---------------+   | |
             |           | |
             |           | |
             |           | |
      Has the requested  | |
         record been     | |
     recently retrieved? | |
             |           | |
             +--Yes------+ |
             |             |
             |             |
            No             |
             |             |
             v             |
     +---------------+     |
     |               |     |
     | Make an API   |     |
     | request and   +-----+
     | add the data  |
     | the cache     |
     |               |
     +---------------+
   #+END_SRC

   #+CAPTION: The high-level data flow for a caching client is illustrated
   #+CAPTION: in this flow chart, which shows how the cache would be
   #+CAPTION: updated by a client so the data can be returned to the client
   #+CAPTION: without making an API call for data that hasn't changed.
   #+CAPTION: Keeping track of the age of items in the cache so the client
   #+CAPTION: doesn't get old data and the cache can be updated is not
   #+CAPTION: illustrated here.
   #+attr_html: :width 150px
   #+attr_latex: :width 150px
   #+NAME: fig:cachingflow
   #+RESULTS: cachingflow
   [[file:./images/cachingflow.png]]

*** Combining data that changes based on URL parameters

    In SP 8.4 Arbor Networks introduced time-series data relating to
    alerts.  One of these time-series data sets is in the =/alerts/=
    endpoint, for example requesting
    =api/sp/alerts/<alert_id>/traffic/dest_prefixes/= will report the
    traffic rates for given prefixes, a simplified representation is:
    #+BEGIN_SRC json
      {
        "data": [
            "attributes": {
              "view": {
                "network": {
                  "unit": {
                    "bps": {
                      "name": "149.81.12.203/32",
                      "pct95_value": 5495466,
                      "avg_value": 3747293,
                      "max_value": 5497066,
                      "timeseries_start": "2018-07-30T18:08:15+00:00",
                      "step": 60,
                      "timeseries": [
                        0,
                        279466,
                        "[...]",
                        5142133
                      ],
                      "current_value": 5142133
                    }
                  }
                }
              }
            },
            "type": "alert_traffic_dest_prefixes",
            "id": "<alert_id>-dest_prefixes-149.81.12.203/32"
          }
        ],
        "links": {
          "self": "https://sightline-leader.example.com/api/sp/v5/alerts/<alert_id>/traffic/dest_prefixes/"
        }
      }
    #+END_SRC
    requesting the same data with the query parameter
    ~?query_unit=bps~ the results are similar, except the key below
    ="unit":= has changed:
    #+BEGIN_SRC json
      {
          "data": [
              {
                  "attributes": {
                      "view": {
                          "network": {
                              "unit": {
                                  "pps": {
                                      "name": "149.81.12.203/32",
                                      "pct95_value": 1803,
                                      "avg_value": 1265,
                                      "max_value": 1806,
                                      "timeseries_start": "2018-07-30T18:08:15+00:00",
                                      "step": 60,
                                      "timeseries": [
                                          0,
                                          100,
                                          "[...]",
                                          100
                                      ],
                                      "current_value": 100
                                  }
                              }
                          }
                      }
                  },
                  "type": "alert_traffic_dest_prefixes",
                  "id": "<alert_id>-dest_prefixes-149.81.12.203/32"
              }
          ],
          "links": {
              "self": "https://sightline-leader.example.com/api/sp/v5/alerts/<alert_id>/traffic/dest_prefixes/?query_unit=pps&query_view=network"
          }
      }
    #+END_SRC

    The two sets of results can be easily combined into:
    #+BEGIN_SRC json
      {
          "data": [
              {
                  "attributes": {
                      "view": {
                          "network": {
                              "unit": {
                                  "bps": {
                                      "name": "149.81.12.203/32",
                                      "pct95_value": 5495466,
                                      "avg_value": 3747293,
                                      "max_value": 5497066,
                                      "timeseries_start": "2018-07-30T18:08:15+00:00",
                                      "step": 60,
                                      "timeseries": [
                                          0,
                                          279466,
                                          "[...]",
                                          5142133
                                      ],
                                      "current_value": 5142133
                                  },
                                  "pps": {
                                      "name": "149.81.12.203/32",
                                      "pct95_value": 1803,
                                      "avg_value": 1265,
                                      "max_value": 1806,
                                      "timeseries_start": "2018-07-30T18:08:15+00:00",
                                      "step": 60,
                                      "timeseries": [
                                          0,
                                          100,
                                          "[...]",
                                          100
                                      ],
                                      "current_value": 100
                                  }
                              }
                          }
                      }
                  },
                  "type": "alert_traffic_dest_prefixes",
                  "id": "<alert_id>-dest_prefixes-149.81.12.203/32"
              }
          ]
      }
    #+END_SRC

    For an API end user who is using the API client to show views
    based on bits-per-second (=bps=) and packets-per-second (=pps=),
    the client has only to check for the keys =bps= and =pps= in the
    =unit= object; once these are retrieved from the API server once,
    the are useful to the client either forever (if the alert has
    ended) or for some acceptable amount of time (if the alert is
    ongoing).

*** Combining data from sub-endpoints
    In SP 8.4 the endpoint that has the most sub-endpoints is the
    =/alerts/= endpoint, so we will use that as the example.  Starting
    with the alert having ID 172784 (and trimming out some of the
    response in the interest of space) the API request response for
    that alert is
    #+BEGIN_SRC json
      {
        "data": {
          "attributes": {
            "alert_class": "dos",
            "alert_type": "dos_profiled_router",
            "ongoing": false,
            "start_time": "2018-07-04T01:04:00+00:00",
            "stop_time": "2018-07-04T01:28:36+00:00",
            "subobject": {
              "direction": "Outgoing",
              "fast_detected": false,
              "impact_bps": 6376742,
              "impact_pps": 1883,
              "ip_version": 4,
              "protocols": [],
              "severity_percent": 127.53,
              "severity_threshold": 5000000.0,
              "severity_unit": "bps"
            }
          },
          "id": "172784",
          "relationships": {
            "packet_size_distribution": {
              "data": {
                "id": "packet-size-distribution-172784",
                "type": "alert_packet_size_distribution"
              },
              "links": {
                "related": "https://sightline-leader.example.com/api/sp/v5/alerts/172784/packet_size_distribution"
              }
            },
            "patterns": {
              "links": {
                "related": "https://sightline-leader.example.com/api/sp/v5/alerts/172784/patterns/"
              }
            },
            "router_traffic": {
              "links": {
                "related": "https://sightline-leader.example.com/api/sp/v5/alerts/172784/router_traffic/"
              }
            },
            "source_ip_addresses": {
              "data": {
                "id": "source-ip-addresses-172784",
                "type": "alert_source_ip_addresses"
              },
              "links": {
                "related": "https://sightline-leader.example.com/api/sp/v5/alerts/172784/source_ip_addresses"
              }
            },
            "thresholds": {
              "links": {
                "related": "https://sightline-leader.example.com/api/sp/v5/alerts/172784/interface_traffic_thresholds/"
              }
            },
            "traffic": {
              "data": {
                "id": "alert-traffic-172784",
                "type": "alert_traffic"
              },
              "links": {
                "related": "https://sightline-leader.example.com/api/sp/v5/alerts/172784/traffic"
              }
            }
          },
          "type": "alert"
        }
      }
    #+END_SRC

    The relationships shown in that output are all sub-objects of the
    =/alerts/172784= object.  Taking =source_ip_addresses= as an
    example, the API response for that object (again, with some data
    trimmed) looks like
    #+BEGIN_SRC json
      {
          "data": {
              "attributes": {
                  "source_ips": [
                      "130.182.0.0",
                      "130.182.0.1",
                      "130.182.0.2",
                      "130.182.0.3",
                      "130.182.0.4",
                      "130.182.0.5",
                      "130.182.0.6",
                      "130.182.0.7",
                      "130.182.0.8",
                      "130.182.0.9"
                  ]
              },
              "id": "source-ip-addresses-172784",
              "links": {
                  "self": "https://sightline-leader.example.com/api/sp/v5/alerts/172784/source_ip_addresses"
              },
              "relationships": {
                  "parent": {
                      "data": {
                          "id": "172784",
                          "type": "alert"
                      },
                      "links": {
                          "related": "https://sightline-leader.example.com/api/sp/v5/alerts/172784"
                      }
                  }
              },
              "type": "alert_source_ip_addresses"
          }
      }
    #+END_SRC

    A more complicated example is one of the sub-endpoints that has
    more than one object, =router_traffic= (which has been greatly
    simplified so it can be seen):
    #+BEGIN_SRC json
      {
          "data": [
              {
                  "attributes": {
                      "view": {
                          "router-245": {
                              "unit": {
                                  "bps": {
                                      "avg_value": 4386058,
                                      "current_value": 815626,
                                      "max_value": 6244499,
                                      "pct95_value": 6019565,
                                      "severity": 2,
                                      "step": 60,
                                      "timeseries": [
                                          5853386,
                                          5842086,
                                          6244499,
                                          5878551,
                                          5842066,
                                          5849164
                                      ],
                                      "timeseries_start": "2018-07-04T01:03:15+00:00"
                                  }
                              }
                          }
                      }
                  },
                  "id": "172784-245",
                  "links": {
                      "self": "https://sightline-leader.example.com/api/sp/v5/alerts/172784/router_traffic/172784-245?query_unit=bps"
                  },
                  "type": "alert_router_traffic"
              },
              {
                  "attributes": {
                      "view": {
                          "router-246": {
                              "unit": {
                                  "bps": {
                                      "avg_value": 4363147,
                                      "current_value": 874213,
                                      "max_value": 6290026,
                                      "pct95_value": 6178240,
                                      "severity": 2,
                                      "step": 60,
                                      "timeseries": [
                                          5948880,
                                          5504565,
                                          5907508,
                                          5786937,
                                          6061942,
                                          5686562
                                      ],
                                      "timeseries_start": "2018-07-04T01:03:15+00:00"
                                  }
                              }
                          }
                      }
                  },
                  "id": "172784-246",
                  "links": {
                      "self": "https://sightline-leader.example.com/api/sp/v5/alerts/172784/router_traffic/172784-246?query_unit=bps"
                  },
                  "type": "alert_router_traffic"
              }
          ]
      }
    #+END_SRC

    Given those three pieces of data, the client starts by retrieving
    the alert information, but none of the related information.  As the
    user of the client requests more details, they can be added to the
    data structure for the original alert and referenced after that.
    The pseudo-code for this looks like
    #+BEGIN_SRC python
      if 'user_requested_key' is not in results['alert_id'] then:
              make_api_request_for['user_requested_key']for['alert_id']
      endif

      return results['alert_id']['user_requested_key']
    #+END_SRC
    which means the first request for any particular data in a
    sub-endpoint will be slightly slower as the API request is made,
    but any subsequent request will already be in memory.  Of course,
    you could add information about how old the data is and refresh the
    data using API calls if it is older than your threshold.

    Using the example results data from above we can use pseudo-code
    that looks like this (and only handles one level of depth)
    #+BEGIN_SRC python
      for key in results_from_source_ip_addresses['data']['attributes']:
          do:
              results['data']['attributes']['key'] =
                  results_from_source_ip_addresses['data']['attributes']
    #+END_SRC
    to populate the original alert data results.  This then looks like
    (with the =relationships= links removed for brevity) this
    #+BEGIN_SRC json
      {
          "data": {
              "attributes": {
                  "alert_class": "dos",
                  "alert_type": "dos_profiled_router",
                  "ongoing": false,
                  "start_time": "2018-07-04T01:04:00+00:00",
                  "stop_time": "2018-07-04T01:28:36+00:00",
                  "subobject": {
                      "direction": "Outgoing",
                      "fast_detected": false,
                      "impact_bps": 6376742,
                      "impact_pps": 1883,
                      "ip_version": 4,
                      "protocols": [],
                      "severity_percent": 127.53,
                      "severity_threshold": 5000000.0,
                      "severity_unit": "bps"
                  },
                  "source_ips": [
                      "130.182.0.0",
                      "130.182.0.1",
                      "130.182.0.2",
                      "130.182.0.3",
                      "130.182.0.4",
                      "130.182.0.5",
                      "130.182.0.6",
                      "130.182.0.7",
                      "130.182.0.8",
                      "130.182.0.9"
                  ]
              },
              "id": "172784",
              "type": "alert"
          }
      }
    #+END_SRC
    allowing for code that can handle more levels of depth than the
    pseudo-code above, the data from the =router_traffic= endpoint
    integrates into the alert data to result in
    #+BEGIN_SRC json
      {
          "data": {
              "attributes": {
                  "alert_class": "dos",
                  "alert_type": "dos_profiled_router",
                  "ongoing": false,
                  "start_time": "2018-07-04T01:04:00+00:00",
                  "stop_time": "2018-07-04T01:28:36+00:00",
                  "subobject": {
                      "direction": "Outgoing",
                      "fast_detected": false,
                      "impact_bps": 6376742,
                      "impact_pps": 1883,
                      "ip_version": 4,
                      "protocols": [],
                      "severity_percent": 127.53,
                      "severity_threshold": 5000000.0,
                      "severity_unit": "bps"
                  },
                  "source_ips": [
                      "130.182.0.0",
                      "130.182.0.1",
                      "130.182.0.2",
                      "130.182.0.3",
                      "130.182.0.4",
                      "130.182.0.5",
                      "130.182.0.6",
                      "130.182.0.7",
                      "130.182.0.8",
                      "130.182.0.9"
                  ],
                  "view": {
                      "router-245": {
                          "unit": {
                              "bps": {
                                  "avg_value": 4386058,
                                  "current_value": 815626,
                                  "max_value": 6244499,
                                  "pct95_value": 6019565,
                                  "severity": 2,
                                  "step": 60,
                                  "timeseries": [
                                      5853386,
                                      5842086,
                                      6244499,
                                      5878551,
                                      5842066,
                                      5849164
                                  ],
                                  "timeseries_start": "2018-07-04T01:03:15+00:00"
                              }
                          }
                      },
                      "router-246": {
                          "unit": {
                              "bps": {
                                  "avg_value": 4363147,
                                  "current_value": 874213,
                                  "max_value": 6290026,
                                  "pct95_value": 6178240,
                                  "severity": 2,
                                  "step": 60,
                                  "timeseries": [
                                      5948880,
                                      5504565,
                                      5907508,
                                      5786937,
                                      6061942,
                                      5686562
                                  ],
                                  "timeseries_start": "2018-07-04T01:03:15+00:00"
                              }
                          }
                      }
                  }
              },
              "id": "172784",
              "type": "alert"
          }
      }
    #+END_SRC

    Staring at JSON data doesn't always lead to clarity, but a close
    enough look at it shows that adding data to the original JSON
    output from the =/alerts/<alert_id>= endpoint is done with
    extraction of data from the sub-endpoints and direct insertion into
    the original results without any reformatting or refactoring of the
    data; the only real effort is knowing which level of data from the
    sub-endpoints should go into which level of the data from the
    top-level endpoint.

    The structure of the data from the sub-endpoints might look
    unnecessarily nested or complicated when taken out of context,
    however, this structure allows for simple construction of the
    entirety of the alert data into one JSON object.

* Configuration

  This chapter describes how to configure Sightline using the
  Sightline REST API.  The difference between configuration and
  operations is that configuration doesn't assume that Sightline is
  collecting flow from any routers.  While the example programs in
  this chapter will change the state of your Sightline deployment,
  they can do so without having any information about or effect on the
  traffic on your network.

** Example: Adding a Managed Object using business information
   #+INDEX: /managed\_objects/ endpoint
   #+INDEX: /config/ endpoint
   #+INDEX: config commit
   #+INDEX: config write
   The Sightline REST API can be used to create customer
   configurations in Sightline using data from other business systems
   (databases, web sites, text files, etc.) that your company uses to
   manage its customers.

   In the example below, the business information is kept in a CSV
   file called =main.csv= that looks like:
   #+BEGIN_EXAMPLE
     name,prefix
     test3,192.168.2.71/32
     test4,192.168.13.0/24
   #+END_EXAMPLE
   From this information, we want to create a managed object (MO) in
   Sightline with the MO name coming from the =name= column and the
   CIDR match prefix coming from the =prefix= column.  In addition,
   all of the managed objects will be type =customer=, will be tagged
   =api=, and will use the mitigation template with the ID 2.

   The steps to do this are:
   - read the data from the CSV file
   - create the managed object JSON with the data that was read and
     the data that is constant for all of the managed objects
   - =POST= the JSON to the =managed_objects= endpoint
   - repeat those steps until there isn't any more data in the CSV
     file
   - create a configuration JSON that includes a log message and then
     =POST= that to the =config= endpoint to write the configuration

   When there are no errors, this script simply prints
   #+BEGIN_EXAMPLE
     Committing configuration.
     Committed configuration.
   #+END_EXAMPLE
   to the screen.

   #+INCLUDE: code-examples/BI-to-MO.py src python

** Example: Setting Appliance Monitoring Limits
   #+INDEX: /devices/ endpoint
   #+INDEX: appliance monitoring
   #+INDEX: appliance monitoring!limits
   #+INDEX: limits!appliance monitoring
   Starting with SPv8.0 monitoring appliances in your Sightline/TMS
   deployment improved with the addition of the Appliance Monitoring
   page (available under the System > Status menu in the web UI).  The
   Appliance Monitoring page allows you to configure limits for all of
   the metrics it displays; those limits are used to sort the graphs
   and to color them relatively more red as the limit is exceeded.

   Configuring those limits is done from the Sightline command line.
   For each appliance, you set the limits you want for each metric.
   So if you have 10 appliances in your deployment and want to set the
   "Disk used %" and "Items tracked per day", it requires 20 command
   line entries.  There are 86 total metrics, so even configuring one
   quarter of those would require 20 command line entries per
   appliance.

   A much easier way to do this is to establish the limits outside of
   Sightline, and use the REST API to apply them to all of the
   appliances.

   The Python program below sets the =items_tracked_per_day= metric to
   have a limit of 15 for each of the appliances that the leader
   knows about.

   The steps to do this are:
   - get a list of the appliances
   - iterate over that list
   - check that the metric isn't already set (you could also make sure
     it was within some limits and correct it if it wasn't, etc.)
   - if it isn't set, set it

   The output from running this script when the limit isn't set looks
   like:
   #+BEGIN_EXAMPLE
     Starting appliance-limiting script
     Retrieving appliances from leader.example.com
     Appliances retrieved. Configuring limits
     Device 115: metrics_items_tracked_per_day_limit configured
     Device 116: metrics_items_tracked_per_day_limit configured
     Device 121: metrics_items_tracked_per_day_limit configured
     Device 184: metrics_items_tracked_per_day_limit configured
     Done
   #+END_EXAMPLE
   While when the limits are set, it looks like:
   #+BEGIN_EXAMPLE
     Starting appliance-limiting script
     Retrieving appliances from leader.example.com
     Appliances retrieved. Configuring limits
     Device 115: metrics_items_tracked_per_day_limit is already configured
     Device 116: metrics_items_tracked_per_day_limit is already configured
     Device 121: metrics_items_tracked_per_day_limit is already configured
     Device 184: metrics_items_tracked_per_day_limit is already configured
     Done
   #+END_EXAMPLE

   #+INCLUDE: code-examples/ragu-python-appliance-limit-ex.py src python

** Example: Combining IPv4 and IPv6 Managed Objects
   #+INDEX: /managed\_objects/ endpoint
   #+INDEX: managed objects!combining
   As of SP 8.4 managed objects using the =cidr_match= match type can
   match on IPv4 and IPv6 addresses in the same managed object.

   These combined managed objects can simplify your configuration and
   save on managed object licensing.  If you have customers or
   properties (for example, a collection of web servers) with both
   IPv4 and IPv6 address space you needed to managed objects to
   monitor and protect them.  This results in more complicated
   management (changes to, for example, the IPv4 MO needed to also be
   made to the IPv6 MO) and in a doubling of your managed object
   count[fn:10].  Combining managed objects where possible can
   simplify the management of them and save you money on licensing
   costs.

   However, as an example of the complexity of having two managed
   objects (one IPv4 and one IPv6) for the same entity in your
   network, combining the managed objects is also complicated and can
   be error-prone.  Automating this process will add consistency and
   reduce the manual effort in combining managed objects.

   The Python program below (called =combine-v4-v6-MOs.py= in the
   =code-examples= directory) is very rudimentary and should be enhaced
   where the comments indicate (and, probably, in other places) before
   you use it in production.  The program follows these basic steps:
    - gather the MOs from the Sightline deployment
    - if there is a file called =mos_to_merge.json= read that file
    - check that the MOs in =mos_to_merge.json= exist
    - compare the IPv4 and IPv6 MOs against a set of rules to see if
      they qualify to be combined
    - output the REST API commands to delete the two old MOs and
      create the new combined MO
    - if the file =mos_to_merge.json= doesn't exist, simply print a
      list of the managed objects on the Sightline system

   The format of the =mos_to_merge.json= file is:
   #+BEGIN_SRC json
     [
         {
             "v4": "cust01_v4",
             "v6": "cust01_v6"
         },
         {
             "v4": "cust02",
             "v6": "cust02_v6"
         },
         {
             "v4": "cust03-4",
             "v6": "cust04"
         },
         {
             "v4": "cust-04",
             "v6": "cust6-04"
         },
         {
             "v4": "cust4-05",
             "v6": "cust6-05"
         }
     ]
   #+END_SRC

   When =combine-v5-v6-MOs.py= is run and the file =mos_to_merge.json=
   is not present, the output looks like:
   #+LATEX: \footnotesize
   #+BEGIN_EXAMPLE
     $ ./combine-v4-v6-MOs.py
     Collecting information on managed objects from sp-leader.example.com
     There are 50 MOs.
     There are 4 out of 37 MOs with CIDR matches that are IPv6 matches.

     Please create a file called mos_to_merge.json and populate it with
     a JSON-formatted list of names of MOs to evaluate for
     combining.
     The list should look like:
     [
         {
             "v4": "mo1_name_v4",
             "v6": "mo1_name_v6"
         },
         {
             "v4": "mo2_name_v4",
             "v6": "mo2_name_v6"
         }
     ]
     Your MOs are:
     cidr_blocks     cust01_v4
     cidr_blocks     cust02
     cidr_blocks     cust03-4
     cidr_blocks     cust-04
     cidr_blocks     cust4-05
     cidr_blocks     web_servers-v4
     cidr_blocks     cust12
     cidr_v6_blocks  cust01_v6
     cidr_v6_blocks  cust02_v6
     cidr_v6_blocks  cust04
     cidr_v6_blocks  cust6-04
     cidr_v6_blocks  cust6-05
   #+END_EXAMPLE
   #+LATEX: \normalsize

   After you've created the =mos_to_merge.json= file to describe the
   MOs you would like to merge, running the Python program results in
   output that should look like:
   #+LATEX: \footnotesize
   #+BEGIN_EXAMPLE
     $ ./combine-v4-v6-MOs.py
     Collecting information on managed objects from spleader.example.com.
     There are 50 MOs.
     There are 4 out of 37 MOs with CIDR matches that are IPv6 matches.
     <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
     The following MO will not be evaluated for combining because one
     or both of the MO names is not configured on the SP system.
     {
         "v4": "isp_1",
         "v6": "not_isp_1"
     }
     >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
     ('cust01_v4', 'cust01_v6'):
       - Shared Host Detection Sets do not match
     ('cust02', 'cust02_v6'):
       - Shared Host Detection Sets do not match
     ('cust03-4', 'cust04'):
       - Shared Host Detection Sets do not match
     MOs that can be combined: [('cust-04', 'cust6-04')]
     DELETE http://spleader.example.com/api/sp/managed_objects/278
     DELETE http://spleader.example.com/api/sp/managed_objects/284
     POST http://spleader.example.com/api/sp/managed_objects <<
     {
         "data": {
             "relationships": {
                 "mitigation_templates_manual_ipv4": {
                     "data": {
                         "type": "mitigation_template",
                         "id": "1"
                     },
                     "links": {
                         "related": "https://spleader.example.com/api/sp/v5/mitigation_templates/1"
                     }
                 },
                 "shared_host_detection_settings": {
                     "data": {
                         "type": "shared_host_detection_settings",
                         "id": "114"
                     },
                     "links": {
                         "related": "https://spleader.example.com/api/sp/v5/shared_host_detection_settings/114"
                     }
                 },
                 "mitigation_templates_manual_ipv6": {
                     "data": {
                         "type": "mitigation_template",
                         "id": "8"
                     },
                     "links": {
                         "related": "https://spleader.example.com/api/sp/v5/mitigation_templates/8"
                     }
                 },
                 "mitigation_templates_auto_ipv6": {
                     "data": {
                         "type": "mitigation_template",
                         "id": "9"
                     },
                     "links": {
                         "related": "https://spleader.example.com/api/sp/v5/mitigation_templates/9"
                     }
                 },
                 "mitigation_templates_auto_ipv4": {
                     "data": {
                         "type": "mitigation_template",
                         "id": "2"
                     },
                     "links": {
                         "related": "https://spleader.example.com/api/sp/v5/mitigation_templates/2"
                     }
                 }
             },
             "attributes": {
                 "detection_profiled_severity_snmp_enabled": false,
                 "match_type": "cidr_blocks",
                 "family": "customer",
                 "autodetected": false,
                 "mitigation_blackhole_auto_enabled": false,
                 "detection_network_country_enabled": false,
                 "detection_profiled_fast_detection_enabled": false,
                 "detection_profiled_threshold_bandwidth": 2,
                 "parent_editable": false,
                 "mitigation_automitigation_tms_enabled": false,
                 "detection_profiled_autorate": false,
                 "mitigation_flowspec_auto_enabled": false,
                 "num_children": 0,
                 "detection_profiled_severity_duration": 300,
                 "mitigation_automitigation_stop_event": "after_alert_ends",
                 "detection_profiled_threshold_packet_rate": 2,
                 "mitigation_automitigation_stop_minutes": 0,
                 "detection_profiled_threshold_protocol": 2,
                 "match": "32.174.0.0/24 3ffe:32:17:4abc::/119",
                 "intf_boundary": [
                     "16384004"
                 ],
                 "description": "gggg ---Combined Managed Object--- ",
                 "tags": [
                     "customer",
                     "auto-combined"
                 ],
                 "editable": true,
                 "detection_profiled_outgoing_enabled": true,
                 "name": "cust-04 + cust6-04",
                 "mitigation_automitigation": false,
                 "detection_profiled_enabled": false,
                 "detection_network_enabled": false
             },
             "type": "managed_object"
         }
     }
   #+END_EXAMPLE
   #+LATEX: \normalsize
   Notice that, at the end of the output, the JSON that can be POSTed
   to create the new managed object has some combined and some new
   properties:
    - the ="match"= value is the combined IPv4 and IPv6 match values
    - there is a new tag called ="auto-combined"= so you can easily
      search for MOs that were created this way
    - the name is new and is the combination of the two old names
    - the description has the string =---Combined Managed Object---=
      in it
    - the various =mitigation_templates_[manual|auto]_[ipv4|ipv6]=
      relationships are taken from the original two MOs

   #+INCLUDE: code-examples/combine-v4-v6-MOs.py  src python

** Example: Adding a new TMS                                       :noexport:
   - we might not be able to do this in a reasonable way in SP8.3v3
** Example: Moving Routers between Collectors                      :noexport:
   - this doesn't work at all, so we shouldn't do it

** Example: Triggering Smart Alerts with Smart Alert Settings
  #+INDEX: /smart\_alert\_settings/ endpoint
  #+INDEX: /alerts/ endpoint
  #+INDEX: insight
  Smart alerts are new in Sightline 9.0 and are a way of generating
  traffic-based alerts using Insight data instead of managed objects.
  Smart alerts look at the last 5 minutes of Insight traffic data
  nearly continuously and use a varient of the Insight filter language
  to select specific traffic which is then compared to the thresholds
  configured in the smart alert settings.  If the threshold is
  exceeded a Sightline alert is started; if the traffic later drops
  below the threshold, the alert is ended.  Unfortunately, in
  Sightline 9.0 there is no way to directly get alert data using the
  query that is returned in the alert; this will be addressed in later
  versions of Sightline.  See the Sightline documentation for more
  details on smart alerts.

  The Sightline REST API can be used to create, edit, and delete smart
  alert settings which will trigger smart alerts (of alert type
  =smart_thresh=) whenever traffic meets the settings in a smart alert
  setting.

  There are two parts to a smart alert setting: the attributes that define what
  will trigger a smart alert, and the settings to pass to the smart alert. The
  settings passed to the smart alert are in the =alert_view= attribute in a
  smart alert. They are what, when loaded into the Insight UI, dicate what
  settings will be shown. For example, if =unit= is =pps=, then when the
  smart alert is loaded into Insight, the unit toggle will be set to =pps=.

  Note: Traffic is checked in five minute windows, so, when traffic has met the
  settings in the smart alert setting, a smart alert will be triggered.

  There are two ways to load a smart alert into the Insight UI:
   - Go to the alerts listing page, click on a smart alert
   - Add =&alert_id={alert_id}= to the Insight URL. I.e.:
     #+BEGIN_EXAMPLE
     https://sightline-leader.example.com/page?id=insight&alert_id=48227
     #+END_EXAMPLE

  In the example below, a user creates a smart alert setting that will trigger
  a smart alert of importance (aka severity) of =medium= when traffic exceeds
  the set threshold of =4567= with unit =bps= when filtered on the =Protocol=
  facet with view =Network=.

  In the example below the triggered smart alert will contain information such
  that, when loaded into the insight UI, the unit toggle will be set to =pps=,
  the view will be set to =Peer=, the =Relationships= tab will be
  predominant on the page, the =importance= will be =1=. along with other
  information such as the start time.

  #+INCLUDE: code-examples/smart_alert_setting.py src python

* Operations

  This chapter will describe how to use the Sightline REST API
  operationally.  The difference between configuration and operations
  is that operations requires Sightline to be receiving and processing
  traffic, generating alerts, routing traffic to TMSs, and other
  functions that Sightline provides that help you operate your
  network.

** Example: Starting a Mitigation
   #+INDEX: /alerts/ endpoint
   #+INDEX: /alerts/ endpoint!filtering
   #+INDEX: /mitigations/ endpoint
   #+INDEX: mitigation
   There is no better product than NETSCOUT|Arbor's Sightline and TMS
   for detecting and mitigating distributed denial of service attacks
   on networks, and the automatic mitigations started by Sightline are
   very effective.  However, Sightline provides no facility for
   additional decision making when deciding whether or not to
   mitigation a suspected DDoS attacks.  Using the Sightline REST API
   allows you to construct your own set of rules around what to
   mitigate and when to mitigate it.

   The example Python program below demonstrates how to read alerts
   from a Sightline leader, make some decisions about whether or not
   to mitigate them, and then start the mitigatons.

   In the case of the example program below, the function
   =apply_rules= takes a list of alerts and their details, filters
   them by the rules, and returns the rules and their details that
   match the criteria:
    - the alert importance is High
    - the alert hasn't ended
    - the alert is a DoS Host alert

   The steps to look at this are:
    - establish a time period over which you want to consider the
      alerts
    - collect the alerts that were started in that time frame
      using the REST API
    - filter out the alerts that don't match the rules for mitigation
    - use the REST API to create and start mitigations the alerts that
      do match the rules

   #+INCLUDE: code-examples/start-mitigations-by-rules.py src python

   #+RESULTS:
   #+begin_example
   Starting auto-mitigation script
   Fetching alerts from Tue Sep 12 16:10:00 2017 onwards
   Alerts retrieved. Filtering on configured ruleset
   4 alert(s) match mitigation criterion
   Mitigating alerts
   Alert 11487 Auto-API-Mitigation started
   Alert 11486 Auto-API-Mitigation started
   Alert 11485 Auto-API-Mitigation started
   Could not start mitigation: Alert 11473 Auto-API-Mitigation
   Done
#+end_example

** Example: Adding an annotation
   #+INDEX: /alerts/ endpoint!annotations
   #+INDEX: /alerts/ endpoint
   #+INDEX: /alerts/ endpoint!filtering
   Sightline will automatically add annotations to alerts in many
   cases, including changes in the severity of an alert and when a
   mitigation is started for the alert.  Each set of annotations for
   an alert can then be viewed in the Sightline web UI or retrieved
   via the Sightline REST API to follow the progress of an alert over
   time.

   Your organization may want to automatically add annotations to make
   the annotation history of an alert more useful.

   The following Python program adds the alert impact information (the
   impact in bits-per-second and packets-per-second and the impact
   boundary) to all of the running alerts every time it is run.
   Running this every 4 hours would give a nice history of the impact
   of an alert over time.

   When run, this program prints out:
   #+BEGIN_EXAMPLE
     Starting auto-annotation script
     Fetching ongoing alerts from leader.example.com
     Alerts retrieved. Auto-annotating impact data
     Annotating 11 ongoing alerts with impact data
     Alert 8067 annotated
     Alert 8066 annotated
     Alert 8063 annotated
     Alert 8062 annotated
     Alert 8061 annotated
     Alert 8060 annotated
     Alert 8055 annotated
     Alert 7814 annotated
     Alert 5913 annotated
     Alert 5912 annotated
     Alert 5904 annotated
     Done
   #+END_EXAMPLE

   And the annotation text, via the API looks like:
   #+BEGIN_SRC json
     {
         "meta": {
             "sp_version": "8.3",
             "api": "SP",
             "api_version": "3",
             "sp_build_id": "HIT4"
         },
         "data": [
             {
                 "attributes": {
                     "text": "Impact on boundary 'rtr1.nyc'; Impact in bps: 10558611; Impact in pps: 1707;",
                     "added": "2017-09-25T19:34:12+00:00",
                     "author": "API-Client"
                 },
                 "type": "alert_annotation",
                 "id": "21168"
             },
             {
                 "attributes": {
                     "text": "Impact on boundary 'rtr1.nyc'; Impact in bps: 10558611; Impact in pps: 1707;",
                     "added": "2017-09-25T19:33:34+00:00",
                     "author": "API-Client"
                 },
                 "type": "alert_annotation",
                 "id": "21157"
             },
             {
                 "attributes": {
                     "text": "The \"TCP NULL\" host alert signature severity rate configured for \"Customer\" has been exceeded for 2 minutes, changing Severity Level from medium to high  (expected rate: 1.00 Kpps, observed rate: 1.70 Kpps)",
                     "added": "2017-09-25T19:18:45+00:00",
                     "author": "auto-annotation"
                 },
                 "type": "alert_annotation",
                 "id": "21155"
             }
         ],
         "links": {
             "self": "https://leader.example.com/api/sp/v3/alerts/8067/annotations/"
         }
     }
   #+END_SRC

   The source code for the Python program that generates this follows,
   and the steps are:

   - gather the alerts that match the filter
   - for each alert extract the impact data from its =attributes=
     section in the returned JSON
   - create annotation text
   - annotate the alert with the new annotation text containing the
     impact information (=POST= to the =/alert/<id>/annotations/=
     endpoint)

   #+INCLUDE: code-examples/ragu-python-annotate-ex.py src python

** Example: Changing TMS Filter Lists                              :noexport:



   #+INCLUDE: code-examples/ragu-python-tms-filter-ex.py src python

** Example: Creating Cloud-signaled Alerts                         :noexport:
   - may not be crucial because not everyone is a cloud signaling
     user; even so, i like this example because it is a unique
     programmatic thing in SP.  /--acaird/
* Insight
  #+INDEX: insight
  Sightline Insight is an addition to Sightline that stores all of the
  Arbor annotated flow records that Sightline sees and allows queries
  on that data in many ways.  One notable feature of Sightline Insight
  when compared to Sightline is that reports with more than two field
  types can be created.  For example, Sightline supports reports that
  are "Customer by TCP Ports" but does not support reports with more
  than two field types; Sightline Insight supports reports like
  "Customer by TCP Ports by Source Country".

  Another difference between Sightline and Sightline Insight is that
  the Sightline Insight web page retrieves all of its data from the
  Sightline REST API, meaning that any of the data visible on the
  Sightline Insight web page is available to you via an API client.

  The Sightline Insight API is documented in the API Reference Guide
  included with Sightline.  In addition, there are some examples
  following.

** Example: Insight PDF Reports                                    :noexport:
   - gather some data from Insight
   - make a graph of it, or some other nice looking report that is a
     PDF file
   - this is not a good idea because
     - it is difficult
     - not everyone has Insight
** Example: Creating Multidimensional Reports with the SP Insight API :noexport:

   Traditional SP offers reports that have two dimensions---customers
   and ports, or routers and customer---these are pre-computed by SP
   as it analyzes the NETFLOW data that is collects and the reports
   are very fast to produce because of this.

   However, there are many reports that SP cannot make---the data
   needed to make them isn't available.  However, SP Insight keeps all
   of the data, which makes for very large storage requirements and,
   possibly, very long query times when makeing report, but allows for
   reports based on almost anything that is available in the raw data.

** Example: Downloading Raw Flows with the Sightline Insight API
   #+INDEX: raw flow
   #+INDEX: insight!query
   #+INDEX: insight!filters
   #+INDEX: python
   #+INDEX: csv

   Because Sightline Insight stores all of the raw flow records that
   Sightline has seen (up to the limits of your Sightline Insight
   cluster), you can retrieve those raw flow records via the Sightline
   REST API.

   The script below comprises mostly processing of command-line
   options, but the heart of it is the JSON-formatted query:
   #+BEGIN_SRC json
     {
         "start": "<start>",
         "end": "<end>",
         "dimensions": [
             "IP_Protocol",
             "Source_IPv4_Address",
             "Source_Port",
             "Destination_IPv4_Address",
             "Destination_Port"
         ],
         "limit": "<num_records>",
         "perspective": "<perspective>",
         "view": "<view>"
     }
   #+END_SRC
   which describes the data to be returned from the API.  The items in
   =<>= are set in the program via command-line options or their
   defaults.

   You could add an option that took dimension names as the parameter
   and create the ="dimensions"= list from the command line, too.  If
   you simply delete the ="dimensions"= key and list, the API will
   return all of the dimensions in the CSV file.  You will get better
   performance if you request only the dimensions you need.

   In addition to the keys and values in the query parameter above and
   in the program, you can add a ="filters"= parameter that looks like
   this:

   #+BEGIN_SRC json
         "filters": {
             "fields": [
                 {
                     "facet": "Destination_Port",
                     "type": "selector",
                     "value": "80"
                 },
                 {
                     "facet": "Destination_Port",
                     "type": "selector",
                     "value": "443"
                 }
             ],
             "type": "or"
         }
   #+END_SRC

   This particular filter selects results where the Destination Port
   is either =443= or =80=.  You can create more complex filters to
   retrieve only the data you need.

   *Note:* As of the version of Sightline Insight that is shipped with
   SP 8.4 and earlier, the Sightline Insight filter specification does
   not support the ="and"= operation between facets of the same type.

   One way to find out how to structure a Sightline Insight query,
   including filters, is to use your web browsers developer tools and
   inspect the queries that the Sightline Insight is sending to the
   API.

   #+INCLUDE: code-examples/download-insight-rawflows.py src python

   An example of running this program is:
   #+BEGIN_SRC sh :exports code
     python download-insight-rawflows.py -s 2018-22-03 -e 2018-04-24 \
            -l leader.example.com \
            -k MySecretAPIkey \
            -n 1000000
   #+END_SRC
   #+BEGIN_EXAMPLE
       Querying leader.example.com for 1000000 raw flows records
       between 2018-03-22T00:00:00 and 2018-04-24T00:00:00...
       Writing chunk #298 to raw_flows.csv
     Query time:       25.5 seconds
     Write time:       46.9 seconds
     Total time:       72.4 seconds
   #+END_EXAMPLE
   and the file =raw_flows.csv= contains 1,000,000 flow records and
   one header row:
   #+BEGIN_EXAMPLE
   $ wc -l raw_flows.csv
   1000001 raw_flows.csv
   #+END_EXAMPLE
** Example: Creating Traffic Flow Diagrams with the Sightline Insight API
   #+INDEX: insight!query
   #+INDEX: insight!filters
   #+INDEX: python
   #+INDEX: dot
   #+INDEX: graphviz
   #+INDEX: networkx
   #+INDEX: sankey
   #+INDEX: flow
   #+INDEX: insight!topn

   Sightline Insight can represent information grouped together by many
   aspects.  That is, you can ask the question "How much traffic left
   a host and went out a particular source port destined for one of
   several different ports on another host?" and Insight can answer
   that question.

   The question part of this is a query to the =insight/topn= that
   looks similar to:
   #+BEGIN_SRC json
     {
         "limit": 10,
         "groupby": [
             "Source_IPv4_Address",
             "Source_Port",
             "Destination_Port",
             "Destination_IPv4_Address"
         ],
         "filters": {
             "type": "or",
             "fields": [
                 {
                     "type": "selector",
                     "facet": "Destination_Port",
                     "value": "80"
                 },
                 {
                     "type": "selector",
                     "facet": "Destination_Port",
                     "value": "443"
                 },
                 {
                     "type": "selector",
                     "facet": "Destination_Port",
                     "value": "25"
                 },
                 {
                     "type": "selector",
                     "facet": "Destination_Port",
                     "value": "53"
                 }
             ]
         },
         "start": "2018-05-20T16:44:00.000Z",
         "end": "2018-05-20T16:52:00.000Z",
         "view": "Network",
         "metric": "bps",
         "calculation": "average"
     }
   #+END_SRC
   which asks the specfic question "For destination ports of web
   servers (80 and 443), SMTP servers (port 25), and DNS servers (port
   53), what sort of traffic is going to what hosts and from where?"


   The results are a list of objects each looking similar to those
   in this short list of two:
   #+BEGIN_SRC json
     [
         {
             "Destination_IPv4_Address": "216.175.102.23",
             "Destination_Port": "80",
             "Source_IPv4_Address": "163.193.0.1",
             "Source_Port": "44456",
             "bps": {
                 "average": {
                     "in": 2500,
                     "out": 0,
                     "total": 2500
                 }
             }
         },
         {
             "Destination_IPv4_Address": "216.175.102.23",
             "Destination_Port": "80",
             "Source_IPv4_Address": "163.193.0.2",
             "Source_Port": "45666",
             "bps": {
                 "average": {
                     "in": 500,
                     "out": 0,
                     "total": 500
                 }
             }
         }
     ]
   #+END_SRC
   If you want to see a visualization of the relationships between
   source hosts, source ports, destination ports, and destination
   hosts you can construct a directed graph with each of those four
   elements as nodes in the graph, adding up the average traffic total
   for each edge.  In the case of the example above,  =163.193.0.1= is
   sending 2500bps out of port =44456= to port =80= on host
   =216.175.102.23= and similar for =163.193.0.2=, but with 500bps of
   traffic.  So the total traffic to port 80 is 3000bps and the total
   traffic to =216.175.102.23= is also 3000bps.

   One way to represent this is to gather the data from Insight and
   represent it using a graph library in Python, with the nodes and
   edges having properties relevant to them.  The example below uses
   the [[https://networkx.github.io/][networkx]] Python library to manage the graph elements and then
   produces a file that can be processed using the =dot= program that
   comes in the free [[http://graphviz.org/][GraphViz]] package.

   #+INCLUDE: code-examples/sp-insight-sankey.py src python

   That program will write a file called =traffic-flow.dot= in the
   directory from which you run it.  Once you have that file and you
   have Graphviz installed, you should run =dot -Tpdf -O
   traffic-flow.dot= to produce a file called =traffic-flow.dot.pdf=.

   Using some highly contrived test data, this produces a graphic that
   looks like:
   #+CAPTION: Using contrived test Netflow data to populate Sightline Insight,
   #+CAPTION: the Python program in this section, and Graphviz =dot=
   #+CAPTION: we can see a visual representation of the flow of
   #+CAPTION: traffic from a source host, out a source port, into a
   #+CAPTION: destination port, and on to the destination host.  From
   #+CAPTION: this picture you can see that most of the traffic to the
   #+CAPTION: host is web traffic (port 80), there isn't any HTTPs
   #+CAPTION: (port 443) traffic at all, and there is a little bit of
   #+CAPTION: SMTP (port 25) and DNS (port 53) traffic.  Depending
   #+CAPTION: on the services you expect on that host, the SMTP and
   #+CAPTION: DNS traffic might be suspicious.
   [[file:images/traffic-flow.dot.pdf]]

   The example here can be constructed using the Sightline Insight UI
   page, but this example can be extended to show data that the
   current version of Insight cannot.  For example, if you wanted to
   get traffic that matches the destination ports 80 and 443 *or*
   traffic to 10.12.14.16 you can use the Python program above to make
   two queries, one for each condition, and put all of the results
   into the results graph (the variable =G= in the example program).
   In Insight parlance, this is an /or between two facets/, which is
   not supported in the UI or API, but can be done with your own API
   client.

** Example: Using Tagrules to Relate Traffic Data to an Incident Tracking System
   #+INDEX: insight!query
   #+INDEX: insight!filters
   #+INDEX: python
   #+INDEX: insight!over the top
   #+INDEX: insight!ott
   #+INDEX: insight!tagrules

   Sightline Insight stores data in columns called *dimensions* and
   the Sightline REST API sometimes combines those dimensions or
   applies logic to them resulting in *aspects*.  As a group
   dimensions and aspects are referred to as *facets*.  Sightline
   Insight does not support modifying aspects within the API but does
   expect that API clients might combine several facets with local
   logic to produce an *external aspect*.  It is also possible to add
   dimensions to Insight data directly via *tagrules* which specify a
   filter (any valid Insight filter), a new dimension, and a value to
   insert into that dimension.  The new dimension or dimensions extend
   the Insight data store.  If a dimension is removed, it will persist
   in the data store until all of the data related to the new
   dimension has aged out of Insight.

   One example of using an additional dimension in Insight is to
   associate traffic on your network with DNS data.  Assume a host
   using your network makes DNS queries to a DNS server that you
   control.  You can then associate the DNS lookup of =netflix.com=
   with a source and destination pair, and that association is valid
   for as long as the time-to-live of the DNS lookup.  Adding
   =netflix.com= to a dimension in Insight for each occurance of this
   allows you to analyze traffic between clients on your network and
   =netflix.com=.  This is often referred to as "over-the-top" or OTT
   analysis, as it looks at traffic between two known entities that is
   going "over the top" of your network.  That, however, is a
   complicated example.

   Another, simpler, example is that of a Network Operations Center
   (NOC) that has a task of producing reports on network traffic from
   specific IP addresses that it learns of via other means.  One
   example of this is looking at botnet command-and-control networks
   and getting frequently updated data on the IP addresses that are
   part of that network.  For each new IP address that is part of the
   C&C network, the NOC is informed via an Incident in their service
   desk system.  The NOC must then look back in time at related
   network traffic that is stored in Insight and also maintain
   visibility on future related network traffic.

   Adding a "column" or dimension to the Insight data that is for an
   Incident ID from an Incident Tracking System allows traffic
   related to an incident to be analyzed both retrospectively and as
   time goes on.

   This new dimension is added via a tag rule that includes three
   pieces of information: the source IP address (the new C&C address),
   the name of the dimension that is being updated (if the dimension
   doesn't exist it will be created), and the value for the dimension
   (the Incident ID number).

   Using the Python programs below this can be demonstrated.  The
   first program has hard-coded incident numbers and assigns
   yesterday's top talkers instead of C&C IP addresses to those
   incident numbers.  The second program reports on the newly-created
   Incident dimesion of the Insight data.

   Adding Incidents to the Incident column and associating them with
   IP addresses looks like:
   #+LATEX: \scriptsize
   #+BEGIN_EXAMPLE
     ID        Source IP                 Valid from                Valid until    Incident
     39      192.168.0.1  2018-10-23T00:00:00+00:00  2018-10-31T00:00:00+00:00       12345
     40      192.168.0.8  2018-10-23T00:00:00+00:00  2018-10-31T00:00:00+00:00       54321
     41      192.168.0.9  2018-10-23T00:00:00+00:00  2018-10-31T00:00:00+00:00       12345
     42        10.0.52.3  2018-10-23T00:00:00+00:00  2018-10-31T00:00:00+00:00       54321
   #+END_EXAMPLE
   #+LATEX: \normalsize
   The =ID= column is Insight's internal number for the tagrule, the
   =Source IP= is the Source IP address of interest, the =Valid from=
   and =Valid until= dates specify how long this data is to be
   monitored, and the =Incident= number is what relates this traffic
   to the service desk Incident.

   Then, after waiting for the re-ingestion of the Insight data to
   happen where the new Incident data is added, the report script
   results in:
   #+BEGIN_EXAMPLE
     Inc.#     Dest IP Addr      Src IP Addr    In Traf (bps)
     12345    172.16.102.23      192.168.0.1        177592.53
     54321     172.16.192.1        10.0.52.3        124684.16
     12345    172.16.102.23      198.168.0.9         89278.84
     54321    172.16.102.23      198.168.0.8         88053.12
   #+END_EXAMPLE
   Which tells you that the two IP addresses in Incident 12345
   generated more traffic than the two in Incident 54321 and that the
   traffic between the external address =163.193.0.1= and the internal
   address =216.175.102.23= was the highest and would be the most
   valuable thing to investigate.

*** Creating Incidents

    A Python program that demonstrates how traffic can be associated
    with an Incident ID is below.  A more useful thing to do might be
    to have a web page where a set of Source IP Addresses can be
    entered along with an Incident ID number; this script is nearly
    an example of that workflow, but constrained for the purposes of
    this example.

    #+INCLUDE: code-examples/tagrules-create.py src python

*** Reporting on Incidents

    A Python prorgam that demonstrates the destination traffic that
    results from filtering on the source traffic and relates each
    destination/source pair to an arbitrary Incident ID number is
    below.  It is pretty simple, but demonstrates how you could get
    potentially valueable data associated with an external reference
    using Insight.

    #+INCLUDE: code-examples/tagrules-report.py src python

* Examples in Languages other than Python

  These examples are intentionally less sophisticated than those
  above; they are just intended to demonstrate basic interactions with
  the API using languages other than Python.

** Java
   #+INDEX: java
   #+INDEX: /alerts/ endpoint
   #+INDEX: java!keygen
   When operating a Sightline deployment that has many collectors,
   TMSs, and is maintained by many network security engineers, it is
   convenient to see the system events that Sightline logs in a
   concise format.  System events include configuration changes,
   system errors, and other operational details that can help maintain
   the stability and availability of your NETSCOUT|Arbor Sightline/TMS
   environment.

   This example uses a Java program to retrieve the events from a
   Sightline leader that are considered system events, and print those
   events in a concise format.



   Java handles SSL certificate files differently from other languages
   (most of which base their HTTP libraries on =libcurl=, hence their
   similarity); the certificate file mentioned in [[SSL Certificates]]
   needs to be converted to the Java Key Store format.  One way to do
   this is to use the =keytool= command that is part of a standard
   Java Development Kit distribution:
   #+BEGIN_SRC sh
   keytool -import -alias ca -file https_active.crt -keystore cacerts -storepass changeit
   #+END_SRC
   where =https_active.crt= is the name of the certificate file from
   Sightline and =cacerts= is the name of the output file that will
   later be read by the Java application.

   This example makes use of the =json-simple=[fn:7] Java library;
   after downloading the =.jar= file for =json-simple=, and place
   it in the same directory as this example.

   Then set the =CLASSPATH= environment variable to include the path
   to the =json-simple= JAR file and the current working directory
   (denoted by the single period, =.=) by setting it to
   =./json-simple-1.1.1.jar:.= This way both the Java compiler and
   run-time environment can find the libraries included in the
   =json-simple= JAR file and the newly compiled =SystemEventClass=
   program.

   With =CLASSPATH= set you can compile =SystemEventClass.java= with
   the command =javac -classpath ./json-simple-1.1.1.jar
   SystemEventClient.java=.

   After that, but in the same environment where you have set
   =CLASSPATH= as above, typing =java SystemEventClass= will run the
   Java program and it should result in output that looks like:
   #+LATEX: \tiny
   #+BEGIN_EXAMPLE
     +-------+------------+-----------------------------+--------+---------+---------------------------+---------------------------+-------------+
     |  ID   | Importance |            Alert            |  User  | Version |        Start_Time         |        End_Time           | Annotations |
     +-------+------------+-----------------------------+--------+---------+---------------------------+---------------------------+-------------+
     | 55316 | Medium     | System Configuration Update | admin  | 1.121   | 2017-09-21T20:58:27+00:00 | 2017-09-21T20:58:27+00:00 | Example Annotation |
     | 55308 | Medium     | System Configuration Update | admin  | 1.120   | 2017-09-21T20:55:55+00:00 | 2017-09-21T20:55:55+00:00 | None        |
     | 55307 | Medium     | System Configuration Update | admin  | 1.119   | 2017-09-21T20:55:45+00:00 | 2017-09-21T20:55:45+00:00 | None        |
     | 55306 | Medium     | System Configuration Update | admin  | 1.118   | 2017-09-21T20:55:37+00:00 | 2017-09-21T20:55:37+00:00 | None        |
     | 55231 | Medium     | System Configuration Update | admin  | 1.117   | 2017-09-21T19:14:48+00:00 | 2017-09-21T19:14:48+00:00 | None        |
     | 54669 | Medium     | System Configuration Update | admin  | 1.115   | 2017-09-20T17:28:16+00:00 | 2017-09-20T17:28:16+00:00 | None        |
     +-------+------------+-----------------------------+--------+---------+---------------------------+---------------------------+-------------+
   #+END_EXAMPLE
   #+LATEX: \normalsize

   #+INCLUDE: code-examples/SystemEventClient.java src java

** bash
   #+INDEX: bash
   #+INDEX: shell script
   #+INDEX: jq
   #+INDEX: curl!command line
   #+INDEX: /alerts/ endpoint
   #+INDEX: /alerts/ endpoint!filtering
   Using the Sightline REST API can be done from a =sh= shell script
   and some command line tools.

   This example uses =curl= and =jq= (see the section titled [[Useful
   Tools]] for more information on those tools) to get a list of alerts
   from Sightline and print them in either JSON, tab-separated values,
   or comma-separate values.

   This example makes an API request to get the alerts for the last 24
   hours, then uses =jq= to extract and re-render that information for
   printing to the screen.

   #+INCLUDE: code-examples/ongoing-alerts-bash-example.sh src sh

   Running that script with the =-t= option produces output that looks
   like:
   #+BEGIN_SRC sh :exports source
     type       start   description
     tms_fault  2017-09-22T16:26:26+00:00       Hardware Sensor 'Power Draw (PS2)' is 'Critical' (Triggering value: 0 Watts)
     tms_fault  2017-09-22T16:25:26+00:00       Hardware Device 'Power Supply PS2' is 'Error' (Presence detected, Power Supply AC lost)
     collector_down     2017-09-21T19:39:21+00:00
   #+END_SRC

** PHP
   #+INDEX: php
   #+INDEX: /tms\_ports/ endpoint
   A common programming language for web-based applications is PHP.
   This example uses PHP to list port names and types, and TMS names,
   models, and deployment types for all of the TMSs in your
   deployment.

   The steps to do this are:
   - query the =tms_ports= endpoint
   - for each object in the returned array, print the information
     about that TMS port

   When this PHP program is run, it produces output that looks like:
   #+BEGIN_SRC sh
     | Port Name | Port Type | TMS                   | TMS Model | TMS Deployment Type |
     | tms0      | physical  | tms002                | TMS-2500  |                     |
     | tms1      | physical  | tms002                | TMS-2500  |                     |
     | tms2      | physical  | tms002                | TMS-2500  |                     |
     | tms3      | physical  | tms002                | TMS-2500  |                     |
     | tms4      | physical  | tms002                | TMS-2500  |                     |
     | tms5      | physical  | tms002                | TMS-2500  |                     |
     | tmsx0.0   | physical  | tms001                | TMS-3100  | inline              |
     | tmsx0.1   | physical  | tms001                | TMS-3100  | inline              |
   #+END_SRC

   #+INCLUDE: code-examples/tms-ports-php-example.php src php

** C
   #+INDEX: C
   #+INDEX: libcurl
   #+INDEX: libjansson
   #+INDEX: curl!library
   #+INDEX: jansson
   #+INDEX: /managed\_objects/ endpoint
   Most of the software in the world is written in the C programming
   language, so an API client for the Sightline REST API should be no
   exception.

   The example client below uses two libraries to make things easier:
    - the cURL library to make the HTTPS request to the Sightline REST
      API and retrieve the results; see https://curl.haxx.se/ for more
      details
    - the Jansson library for processing JSON data returned by the
      Sightline REST API; see http://www.digip.org/jansson/ for more
      details

   This example retrieves all of the managed objects from the
   Sightline REST API in groups of 10 at a time (note the =perPage=10=
   part of the URL) and prints out a table of a few of the attributes.

   The output looks like:
   #+LATEX: \tiny
   #+BEGIN_EXAMPLE
     |                     Name  | Child? |     Match Type  |                     Match Values  |
     --------------------------------------------------------------------------------------------
     |                  VPNSite1 |    Yes |     cidr_blocks |      192.168.1.0/24 172.16.1.0/24 |
     |                  VPNSite2 |    Yes |     cidr_blocks |      192.168.2.0/24 172.16.2.0/24 |
     |                  VPNSite3 |    Yes |     cidr_blocks |      192.168.3.0/24 172.16.3.0/24 |
     |                  VPNSite4 |    Yes |     cidr_blocks |      192.168.4.0/24 172.16.4.0/24 |
     |                      MPLS |        |     cidr_blocks |                       10.0.0.0/24 |
     |                custMisuse |        |     cidr_blocks |                  192.168.137.0/28 |
     |                 peer14989 |        |         peer_as |                             14989 |
     |                 peer11420 |        |         peer_as |                             11420 |
     |                 peer14041 |        |         peer_as |                             14041 |
     |                     test2 |        |     cidr_blocks |                     10.11.12.0/24 |
     |                     test3 |        |     cidr_blocks |                   192.168.2.71/32 |
     |                     test4 |        |     cidr_blocks |                     10.11.13.0/24 |
     |                  Internet |        |          (null) |                            (null) |
     |           All Subscribers |        |          (null) |                            (null) |
     --------------------------------------------------------------------------------------------
                                                                 SP REST API version: SP8.3/APIv3
   #+END_EXAMPLE
   #+LATEX: \normalsize

   #+INCLUDE: code-examples/mo-listing.c src c

** Node
   #+INDEX: node
   #+INDEX: javascript
   #+INDEX: dns
   #+INDEX: filter\ list
   #+INDEX: /tms\_filter\_list\_requests/ endpoint

   In SP8.4 and later you can configure DNS Filter Lists by telling
   Sightline about a DNS server from which you can do zone transfers
   and the domain or subdomain containing the hosts you want to add to
   the DNS filter list.  This can be a fast way of creating a DNS
   filter list for a whole subdomain.

   The following NodeJS API client requires a version of Node that is
   at least 8.4.0 and can be run with the command:
   #+BEGIN_EXAMPLE
    node dns-filter-lists.js
   #+END_EXAMPLE
   and should simply print:
   #+BEGIN_EXAMPLE
   Successfully saved filter list content
   #+END_EXAMPLE
   when it is done.  You can then verify the results by looking in the
   UI at Administration > Mitigation > Filter lists or by looking at
   the =/api/sp/tms_filter_lists/= endpoint in the API.

   #+INCLUDE: code-examples/dns-filter-lists.js src javascript

* Appendices
** License
   #+INDEX: license
   This work is licensed under the Creative Commons
   Attribution-ShareAlike 2.0 Generic License. To view a copy of this
   license, visit http://creativecommons.org/licenses/by-sa/2.0/ or
   send a letter to Creative Commons, PO Box 1866, Mountain View, CA
   94042, USA.

   The computer programs and code examples are licensed under The
   Unlicense

   #+BEGIN_QUOTE
   The computer programs and code examples in this work are free and
   unencumbered software released into the public domain.

   Anyone is free to copy, modify, publish, use, compile, sell, or
   distribute this software, either in source code form or as a
   compiled binary, for any purpose, commercial or non-commercial, and
   by any means.

   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
   EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
   MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
   NONINFRINGEMENT.  IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY
   CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
   CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
   WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

   In jurisdictions that recognize copyright laws, the author or
   authors of this software dedicate any and all copyright interest in
   the software to the public domain. We make this dedication for the
   benefit of the public at large and to the detriment of our heirs
   and successors. We intend this dedication to be an overt act of
   relinquishment in perpetuity of all present and future rights to
   this software under copyright law.

   For more information, please refer to http://unlicense.org/
   #+END_QUOTE

** Versioning
   #+INDEX: versioning
   The Sightline REST API version number is displayed in the =meta=
   section of every API response.  In version 1 of the SP REST API the
   version is stored by the key =sp_api_version=, in later versions it
   is stored in the key =api_version=.  The =meta= object looks like:
   #+BEGIN_SRC sh :results output :exports results
   http --session leader GET https://leader.example.com/api/sp/ | jq '{"meta":.meta}'
   #+END_SRC

   #+BEGIN_SRC json
     {
         "meta": {
             "sp_version": "8.3",
             "api": "SP",
             "api_version": "3",
             "sp_build_id": "HIT4"
         }
     }
   #+END_SRC

   It is possible for the API version to remain the same across
   Sightline versions, but that doesn't necessarily mean that the API
   hasn't changed.  If keys are *added* to the API, but none of the
   existing keys are changed or removed and none of the types of the
   values change, the API version number will not change.  When
   referring to what version of the API you are using, the most
   accurate way is to combine the API version with the Sightline
   version.  In the example above the version of the API is "SP8.3
   APIv3".

   If you have written API clients that rely on a particular version,
   you can refer to that version in the URL by inserting =/vX/= after
   =/api/sp= where =X= is the version you want to use.  To see the
   index for version 1 on an SP leader running SP8.3 you can request
   the URL =https://spleader.example.com/api/sp/v1/= which will
   return a meta section that looks like:

   #+BEGIN_SRC sh :results output :exports results
   http --session leader GET https://leader.example.com/api/sp/v1/ | jq '{"meta":.meta}'
   #+END_SRC

   #+BEGIN_SRC json
     {
         "meta": {
             "sp_build_id": "HIT4",
             "sp_version": "8.3",
             "api": "SP",
             "api_version": "1",
             "sp_api_version": "1.0.0"
         }
     }
   #+END_SRC

   This example is using version "SP8.3 APIv1" of the API, which is
   different from SP8.1 APIv1 because the =api_version= key does not
   exist in SP8.1 APIv1, but because that key is additive and won't
   affect clients that are not looking for it the addition of that key
   doesn't require an increase in version.

   Because adding keys is not a change that will prevent a client
   written for a previous version from working, it is possible that a
   client written for SP8.3 APIv3 will see additional keys when the
   server is SP8.4 APIv3.  This also means that writing a client for
   an older API version may present keys that don't exist in
   original.  For example the addition of the key =highly_secure= in
   SP8.4 APIv4 may also appear in SP8.4 APIv3, but will not exist in
   SP8.3 APIv3.  Use caution when writing to prior APIs.

   The differences in each version are in the Deprecation Policy
   section of the Sightline REST API Reference manual that is
   available from the Sightline UI at the item "REST API
   Documentation" in the "Administration" menu.

** Reference Manual

   The Sightline REST API endpoint reference manual is available from
   the Sightline web interface by going to the "Administration" menu
   and choosing "REST API Documentation".

** Reporting Errors to Arbor
   #+INDEX: errors
   While Arbor Networks strives to provide you with well-written and
   well-tested software, it is possible that your application will
   uncover mistakes that we missed.

   In the case of the Sightline REST API, these mistakes will present
   themselves as a HTTP response with the code =500 INTERNAL SERVER
   ERROR=.  In nearly all cases this will also print some information
   to one of Sightline's log files.

   Arbor values your reporting of these errors and to help us diagnose
   and fix the problem, it is helpful if you include a few things with
   your report to the Arbor Technical Assistance Center.  In order of
   their general usefulness to us, these are:

   1. The API request that you made

      Only the part of the URL from =/api/sp= onwards is required; we
      do not need to have the name of your Sightline leader

   2. The sections of the logs files with any additional errors

      One or more of log files =syslog=, =www_access=, and =www_error=
      in the directory =/base/var/log/= on Sightline will likely have
      a Python traceback in them if you see an error with an HTTP
      status code of 500; a copy of that will be very useful for us.

   3. The =meta= information from any API request

      Making a request to =https://spleader.example.com/api/sp/= and
      sending us the results will contain the =meta= information that
      we need.

   4. The expected results or results of a similar query that works

   5. The Sightline diagnostics package

      A diagnostics package can be created from the Sightline command
      line by typing =system diagnostics=

   The Arbor Technical Assistance Center can be reached at
   http://support.arbornetworks.com

** Acknowledgments
   Thanks to:

   Andrea V, Andy C, David W, Grant L, Jen V, Todd S, Tony P.
** Contributing and other technical details
*** Contributing

    This document is intended to grow and change based on contributions
    from customers, Arbor field engineers, Arbor development engineers,
    and anyone else who wants to contribute.

    The contribution guidelines are pretty loose, but include things
    like:
     - the example should include both the source code and the
       surrounding text explaining it; a patch or pull request or two
       files or some other representation is fine
     - the example should try to minimize external dependencies,
       unless the point of the example is to should how to use them
     - the example should work and be readable by someone who is
       familiar with programming languages, either because it is a
       readable language or because the program has a lot of comments

    If you are contributing from within Arbor, you can use Reviewboard
    to submit your contributions against the internal repository.

    If you are contributing from outside of Arbor or just prefer
    Github, you can fork the repository and send pull requests with
    the changes.

    If you don't want to deal with Git at all, you can email
    =acaird@arbor.net= with the contribution and I'll probably get
    around to it.
*** Technical details

    This document is written using the OrgMode markup and is rendered
    into using Emacs and LaTeX and into HTML using Emacs.

    It may be possible to render this document into other formats
    using =pandoc=, but that is untested.
#+LATEX: \printindex
* Notes                                                            :noexport:

** Rendering
   - orgmode configuration for LaTeX output:
     http://orgmode.org/worg/org-tutorials/org-latex-export.html
   - captioning source blocks
     https://lists.gnu.org/archive/html/emacs-orgmode/2011-04/msg00877.html
   - minted: https://github.com/syl20bnr/spacemacs/issues/7055

** Principles of the Document

   - humans can read
   - minimize version specificness
   - examples that would be likely to be useful to a real-live
     customer

** Guidelines
   - might want this document to go into the =ArborSDK.zip= file in
     the build
   - might want to show this to the SEs at the SE Summit in October

* Footnotes

[fn:10] Managed Objects are licensed quantities in Sightline, see the
Deployment Status page
(http://sp.example.com/page?id=deployment_status) for how many managed
objects your license contains and how many you are using.

[fn:1] http://roy.gbiv.com/untangled/2008/rest-apis-must-be-hypertext-driven

[fn:2] https://www.google.com/chrome/

[fn:3] https://www.gnu.org/software/sed/

[fn:4] https://www.gnu.org/software/gawk/

[fn:5] https://matplotlib.org/

[fn:6] https://arrow.readthedocs.io/en/latest/

[fn:7] https://github.com/fangyidong/json-simple

[fn:8] Put another way, this relieves contributors to this document of
the burden of updating all of the examples and descriptions every time
a new version of Sightline is released.  So if you come across an
example that is 8 versions old, be cautious or edit it and submit an
update to this document.

[fn:9] https://github.com/phihag/ipaddress