Can't run queryHostGroups using a filter with name

[budachst]

I am trying to get the ID of a host group, by querying it via queryHostGroups. When I try to do kike this:

response = falcon.queryHostGroups(filter=f"name:'<group_name>'",
                                    offset=0,
                                    limit=10
                                  )

the result set is always empty. I can, however query host groups by either e.g. group_type or created_by, its just the name filter, which never returns any object. The response when querying for name as the filter returns this responde, regardless if <group_name> is an existing group name or not.

{'status_code': 200, 'headers': {'Server': 'nginx', 'Date': 'Fri, 09 Jun 2023 19:20:33 GMT', 'Content-Type': 'application/json', 'Content-Length': '177', 'Connection': 'keep-alive', 'Content-Encoding': 'gzip', 'Strict-Transport-Security': 'max-age=15724800; includeSubDomains, max-age=31536000; includeSubDomains', 'X-Cs-Region': 'eu-1', 'X-Cs-Traceid': 'bed64af1-812d-46eb-9a3f-aabc6d8996e6', 'X-Ratelimit-Limit': '6000', 'X-Ratelimit-Remaining': '5993'}, 'body': {'meta': {'query_time': 0.005240594, 'pagination': {'offset': 0, 'limit': 10, 'total': 0}, 'trace_id': 'bed64af1-812d-46eb-9a3f-aabc6d8996e6'}, 'resources': [], 'errors': []}}

[jshcodes]

Well that's interesting...

The FQL rule for an exact match says your filter should be property:['string'] instead of property:'string'. My testing produces the same behavior you have identified; both variations of this syntax produce zero results when provided to the queryHostGroups and queryCombinedHostGroups operations.

I'll investigate for more detail regarding the preferred exact match syntax for these two operations. In the interim, I have a workaround that I think should work for most scenarios.

Hint that you're wildcarding, but don't actually provide a wildcard.

import os
from falconpy import HostGroup

groups = HostGroup(client_id=os.getenv("CLIENT_ID"), client_secret=os.getenv("CLIENT_SECRET"))

GROUP_NAME = "This is my test group name"

# This one will return zero results
groups.query_host_groups(filter=f"name:['{GROUP_NAME}']")
# This one will also return zero results
groups.query_host_groups(filter=f"name:'{GROUP_NAME}'")

# This one should work, we provide the hint with no actual wildcards
groups.query_host_groups(filter=f"name:*'{GROUP_NAME}'")

[budachst]

Yeah - I found out the same just yesterday evening, when I changed my filter accordingly to what you also provided:

response = falcon.queryHostGroups(filter=f"name:*'<group_name>'",
                                    offset=0,
                                    limit=10
                                  )

I was a bit surprised, since the examples I saw on this discussion group didn't utilize the wildcard hint and I was wondering, if I maybe had done something wrong. However, since you came up with the same workaround, I will go with that for the time being and see, if you can uncover as of why this has to be done this way.

Other than that - this is really an awesome piece of work!

[jshcodes]

Talked to @bk-cs about this one and we both think it's specific to the group name having a space in the string, as the standard syntax works for group names like "Test_Group" and "Test-Group". I'll update the documentation to detail what I find as I poke about.

Thank you for the feedback! Let us know of any other questions you encounter. 😄

[budachst]

Well… my goup names don't have spaces… or do you mean something else?

[jshcodes]

No I did mean in the name... that's even weirder. filter="name:'string-string'" just worked in one of my tests.

I think I need to build a test harness and map out all the variations.