collect_client

Function

ArgDescriptionType
client_idThe client id to schedule a collection onstring (required)
artifactsA list of artifacts to collectlist of string (required)
envParameters to apply to the artifact (an alternative to a full spec)Any
specParameters to apply to the artifactsAny
timeoutSet query timeout (default 10 min)uint64
ops_per_secSet query ops_per_sec valuefloat64
cpu_limitSet query cpu_limit valuefloat64
iops_limitSet query iops_limit valuefloat64
max_rowsMax number of rows to fetchuint64
max_bytesMax number of bytes to uploaduint64
urgentSet the collection as urgent - skips other queues collections on the client.bool

Description

Launch an artifact collection against a client. If the client_id is “server” then the collection occurs on the server itself. In that case the caller needs the SERVER_ADMIN permission.

There are two way of specifying how to collect the artifacts. The simplest way is to specify the environment string using the env parameter, and a list of artifacts to collect in the artifacts parameter.

In this case all artifacts will receive the the same parameters. For example:

SELECT collect_client(
    client_id='C.11a3013ccaXXXXX',
    artifacts='Windows.KapeFiles.Targets',
    env=dict(Device ='C:', VSSAnalysis='Y', KapeTriage='Y')).request AS Flow
FROM scope()

Sometimes we have a number of artifacts that use the same parameter name for different purposes. In that case we wish to specify precisely which artifact receives which parameter. This more complex way of specifying the collection using the spec parameter:

SELECT collect_client(
    client_id='C.11a3013ccaXXXXX',
    artifacts='Windows.KapeFiles.Targets',
    spec=dict(`Windows.KapeFiles.Targets`=dict(
        Device ='C:', VSSAnalysis='Y', KapeTriage='Y'))).request AS Flow
FROM scope()

In this case the artifact names are repeated in the spec and the artifacts parameter.

NOTE: When constructing the dictionaries for the spec parameter you will often need to specify a field name containing full stop. You can escape this using the backticks like the example above.

comments powered by Disqus