Dashboard API - Security Events - End-points returned only partial sets of data

c-o-e
Comes here often

Dashboard API - Security Events - End-points returned only partial sets of data

We encountered a strange behavior with some Dashboard APIs, which are returning only partial data sets.

 

In the Dashboard API documentation related to security events for example, we have the following:

 

  • t0: "The beginning of the timespan for the data. The maximum lookback period is 365 days from today."
  • t1: "The end of the timespan for the data. t1 can be a maximum of 365 days after t0"

 

(https://developer.cisco.com/meraki/api/#/rest/api-endpoints/security-events/get-network-security-eve...)

 

We have extended our easy-Meraki app in order to implement these endpoints and add a few dashboards and auto-remediations.

 

Once tested, we had the following results:

 

  • no problem to retrieve December 2019 events, the responses are accurate compared to the data exposed in the security center;
  • for all other months (prior to December), the calls returned empty lists;
  • with a very large timespan (instead of t0/t1), we retrieved more items but clearly not all the events (of course, we are far below the number of returned events limit).

 

Can someone confirm this behavior or there is an error on our side?

If it's a bug, anyone has a workaround to make it works before the fix?

 

Thank you for your feedback.

8 Replies 8
PhilipDAth
Kind of a big deal
Kind of a big deal

This sounds like a bug and you'll have to go through the trouble of opening a support case.

c-o-e
Comes here often

Thank you Philip for your swift answer.

 

Indeed, that was my first reflex.

 

I have opened a case a few hours ago but it was closed instantly because they do not provide support on Meraki Dashboard APIs and have no capability to forward the case to anyone who can investigate.

 

And they have suggested me to post here.

PhilipDAth
Kind of a big deal
Kind of a big deal

They can provide support - but my experience is it can take months to get something resolved.  They are not skilled in this area.

 

Can you post the smallest possible code snippet to re-produce the issue and I'll try it on one my orgs and see if I get the same issue.

c-o-e
Comes here often

Sure Philip.

The easiest way is probably to use the Postman collection but I can also provide you with some node or python code if needed.

 

For Postman:

 

a GET on 

https://api.meraki.com/api/v0/networks/{{YOUR_NETWORK_ID}}/securityEvents?t0=1572562800&t1=1575154799&perPage=1000

 

Should returns the security events between:

Friday, November 1, 2019 12:00:00 AM GMT+01:00 and Saturday, November 30, 2019 11:59:59 PM GMT+01:00

 

On our side => Empty.

And it's very unlikely 😉

 

You can try for any other period prior December.

For July for example with the following t0: 1561932000 and t1: 1564610399

 

On the other way around, for December, we have some results with the following t0 : 1575154800 and t1: 1577833199

 

 

@c-o-e Meraki support absolutely does provide support for Dashboard APIs, so if the engineer assigned to your case closed it for that reason, that was a mistake and we apologize. Do you happen to have a case number we could reference, so we can correct that for the future?

 

To @PhilipDAth's point about ability/willingness, different engineers have strengths in different areas, and there are some who do specialize in APIs. If a support engineer is not able to help with an API issue well enough, they should consult with another engineer who can.

Cameron Moody | Product Manager, Cisco Meraki
Nash
Kind of a big deal

@DexterLaBora Could you or one of your folks advise here?

chengineer
Meraki Alumni (Retired)
Meraki Alumni (Retired)

I see the same thing, and it seems like only the last month's worth of security events are returned for both the per-network and per-organization scoped endpoints.

 

With a query like securityEvents?perPage=1000&t0=2019-12-01Z00:00&t1=2019-12-31Z00:00, only the events starting on 12/8 or 12/9 (depending on network/org) are returned. The same thing happens when trying to use securityEvents?perPage=1000&timespan=31536000 (number of seconds in a year).

 

Definitely seems like a bug; can you PM me the case number please. @c-o-e?

Solutions Architect @ Cisco Meraki | API & Developer Ecosystem
c-o-e
Comes here often

Good to know i'm not crazy 😉

 

I just sent you the case number in a private message.

Thank you for your time.

Get notified when there are additional replies to this discussion.