Gravwell search API PowerShell Module

December 7, 2023

This quick and easy PowerShell module was designed to facilitate search queries between a Gravwell search API endpoint and a local client. It supports pre-configured JSON profiles for running repeated searches and queries.

Profiles can be saved in the following format. The ServerIP and Key attributes are required in all profiles. However, query parameters can be run during invocation.

JSON

{
  "ServerIP": "<IP>:<port>",
  "Key": "<key>",
  "Query": "<query>",
  "Duration": "<hours>h",
  "Format": "<format>"
}

Following are some example invocations.

PowerShell

# Run a query and save the parameters into default.json
Invoke-GravwellQuery -ServerIP 127.0.0.1 -Key "<key>" -Query "tag=windows" -Duration "24h" -Format "csv" -Save -ConfigurationFile "defaultprofile.json" -Outfile results.csv

# Run a saved query
Invoke-GravwelQuery -Load -ConfigurationFile default.json -Outfile results.csv

# Run a saved query with a custom query
Invoke-GravwellQuery -Load -ConfigurationFile default.json -Query "tag=windows" -Duration 12h -Format "csv" -Outfile results.csv

The module can be found on GitHub.