https://community.splunk.com/t5/Splunk-SOAR/Getting-containers-from-Jan-to-March-using-REST-API/m-p/640554#M1163 <P>Hi there,&nbsp;</P><P>&nbsp;</P><P>I am trying to get the containers detials for stipulated time period, Lets say, Jan 1st 2023 - March 31st - 2023.&nbsp;</P><P>May I know what is the format here to get it from REST API. I am trying using below query&nbsp; and getting the results from the very latest conatiners as well.&nbsp;</P><P>&nbsp;</P><P><SPAN><A href="https://phantom.example.com/rest/container?sort=id&amp;order=desc&amp;label='phishing'&amp;page_size=40000&amp;&quot;start_time&quot;=&quot;2023-03-01T00:36:41.728895Z&quot;" target="_blank">https://phantom.example.com/rest/container?sort=id&amp;order=desc&amp;label='phishing'&amp;page_size=40000&amp;"start_time"="2023-03-01T00:00:41.728895Z"</A></SPAN></P><P>&nbsp;</P><P><SPAN>Sample output: sharing only one key: value pair</SPAN></P><DIV><DIV><SPAN>"start_time":&nbsp;"2023-04-19T07:36:41.728895Z",</SPAN></DIV></DIV> Wed, 19 Apr 2023 10:03:23 GMT JoshiSri 2023-04-19T10:03:23Z https://community.splunk.com/t5/Splunk-SOAR/Getting-containers-from-Jan-to-March-using-REST-API/m-p/640554#M1163 <P>Hi there,&nbsp;</P><P>&nbsp;</P><P>I am trying to get the containers detials for stipulated time period, Lets say, Jan 1st 2023 - March 31st - 2023.&nbsp;</P><P>May I know what is the format here to get it from REST API. I am trying using below query&nbsp; and getting the results from the very latest conatiners as well.&nbsp;</P><P>&nbsp;</P><P><SPAN><A href="https://phantom.example.com/rest/container?sort=id&amp;order=desc&amp;label='phishing'&amp;page_size=40000&amp;&quot;start_time&quot;=&quot;2023-03-01T00:36:41.728895Z&quot;" target="_blank">https://phantom.example.com/rest/container?sort=id&amp;order=desc&amp;label='phishing'&amp;page_size=40000&amp;"start_time"="2023-03-01T00:00:41.728895Z"</A></SPAN></P><P>&nbsp;</P><P><SPAN>Sample output: sharing only one key: value pair</SPAN></P><DIV><DIV><SPAN>"start_time":&nbsp;"2023-04-19T07:36:41.728895Z",</SPAN></DIV></DIV> Wed, 19 Apr 2023 10:03:23 GMT https://community.splunk.com/t5/Splunk-SOAR/Getting-containers-from-Jan-to-March-using-REST-API/m-p/640554#M1163 JoshiSri 2023-04-19T10:03:23Z https://community.splunk.com/t5/Splunk-SOAR/Getting-containers-from-Jan-to-March-using-REST-API/m-p/640557#M1165 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/255647">@JoshiSri</a>&nbsp;you need to use the lte/gte conditions in the REST call:</P><P>e.g.</P><P>/rest/container?_filter_start_time__gte="2023-01-01T00:00:00"&amp;_filter_start_time__lte="2023-03-01T00:00:00"</P><P>Note the double "_" for the lte/gte&nbsp;</P><P>You can use python to create the date/time strings if you need to do this dynamically.&nbsp;</P><P>-- If this helped please mark as the solution. Happy SOARing --</P> Wed, 19 Apr 2023 10:10:09 GMT https://community.splunk.com/t5/Splunk-SOAR/Getting-containers-from-Jan-to-March-using-REST-API/m-p/640557#M1165 phanTom 2023-04-19T10:10:09Z https://community.splunk.com/t5/Splunk-SOAR/Getting-containers-from-Jan-to-March-using-REST-API/m-p/640561#M1166 <P>Awesome, worked like charm..!!&nbsp;</P><P>One last&nbsp; query, is there any limit for "<SPAN>page_size=40000</SPAN>" and "<SPAN>label='phishing'" this condition, is not working at all, is there a different way to parse label as phishing only containers?&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks again, for your quick response.&nbsp;</SPAN></P> Wed, 19 Apr 2023 10:19:34 GMT https://community.splunk.com/t5/Splunk-SOAR/Getting-containers-from-Jan-to-March-using-REST-API/m-p/640561#M1166 JoshiSri 2023-04-19T10:19:34Z https://community.splunk.com/t5/Splunk-SOAR/Getting-containers-from-Jan-to-March-using-REST-API/m-p/640564#M1167 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/255647">@JoshiSri</a>&nbsp;you need to add `_filter_&lt;field&gt;` to your query.&nbsp;<BR /><BR />Also I am not sure about the page size but if you set it to 0 then you get all.&nbsp;</P> Wed, 19 Apr 2023 10:26:59 GMT https://community.splunk.com/t5/Splunk-SOAR/Getting-containers-from-Jan-to-March-using-REST-API/m-p/640564#M1167 phanTom 2023-04-19T10:26:59Z https://community.splunk.com/t5/Splunk-SOAR/Getting-containers-from-Jan-to-March-using-REST-API/m-p/640572#M1168 <P>Superb..!! Again, on the mark. Is there any doc for these kind of parameters?&nbsp;</P><P>&nbsp;</P><P>The one on the phantom doc is very on the higher level and is of no use if you want to drill down your search.&nbsp;</P><P>&nbsp;</P><P>It helps, thanks a lot.&nbsp;</P> Wed, 19 Apr 2023 11:31:09 GMT https://community.splunk.com/t5/Splunk-SOAR/Getting-containers-from-Jan-to-March-using-REST-API/m-p/640572#M1168 JoshiSri 2023-04-19T11:31:09Z https://community.splunk.com/t5/Splunk-SOAR/Getting-containers-from-Jan-to-March-using-REST-API/m-p/640573#M1169 <P>This is the best one from a fellow trust member:</P><P><A href="https://github.com/zamastyle/phantom_mhike/blob/main/Rest%20API%20Cheat%20Sheet.md" target="_blank">https://github.com/zamastyle/phantom_mhike/blob/main/Rest%20API%20Cheat%20Sheet.md</A>&nbsp;</P><P>Feel free to mark as a solution to help others with similar issues/queries</P> Wed, 19 Apr 2023 11:39:22 GMT https://community.splunk.com/t5/Splunk-SOAR/Getting-containers-from-Jan-to-March-using-REST-API/m-p/640573#M1169 phanTom 2023-04-19T11:39:22Z