Looker

This integration was integrated and tested with Looker version 6.10.20.

Use Cases

  1. Ingest query results as incidents.
  2. Run a custom (inline) query as part of a playbook.
  3. Automatically create and save a query as a look.

Important Information

Make sure you read this information on how to obtain information required for configuring the integration.

Generate an API3 key for a Looker user:

  1. Log in to the Looker web interface with an account that is permitted to manage users.
  2. At the top of the page, click on the “Admin” drop down and select “Users”
  3. Select the user you would like to generate the API3 key for.
  4. Go to “API3 Keys” and select “Edit Keys”
  5. Click on “New API3 Key”

Get a Look ID:

Usages:

  • “Look name or ID to fetch incidents from” integration parameter.
  • Look ID command arguments.
  • Uniquely identify a Look (the name is not unique).

Option A: Looker Web Interface

  1. Click on a look.
  2. The number at the end of the URL is the ID of the look.

Option B: Demisto commands

  1. Configure the Looker integration without fetching incidents, or filling in the parameter.
  2. Run the looker-search-queries or looker-search-looks command.
  3. The ID will be part of the results (among other look details).

Get model and view names from an explore’s URL:

  1. Navigate to the explore.
  2. The URL will be formatted like this: https://<looker server>/explore/<model>/<view>

Get a field’s SQL name (for command arguments):

  1. Navigate to the explore.
  2. Click a field.
  3. In the DATA tab, click SQL .

You will see the field name in the following format: object_name.field_name .

Configure Looker on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for Looker.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • API URL and port (e.g., https://example.looker.com:19999)
    • Trust any certificate (not secure)
    • Use system proxy settings
    • API3 Client ID
    • API3 Client Secret
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

1. Run a saved look


Runs a saved look and returns the results in the specified format.

Base Command

looker-run-look

Input
Argument Name Description Required
id ID of the look. Can be found in the look’s URL, or by running the ‘looker-search-looks’ command. Optional
fields Fields to return. Optional
name Name of the look. Optional
limit Maximum number of looks to return (0 for looker-determined limit). Optional
result_format Format of the result. Required

Context Output
Path Type Description
LookerResults.LookID Number Look ID.
LookerResults.Results Unknown Look Results.

Command Example
looker-run-look name="Look 1" limit="2" result_format="json"
Context Example
"LookerResults": {
    "LookID": 3,
    "Results": [
        {
            "OrderItems_Id": 160086,
            "OrderItems_OrderId": 153797, 
            "OrderItems_Status": "Complete", 
            "OrderItems_CreatedDate": "2019-04-02",
            "OrderItems_SalePrice": 54,
            "Products_Brand": "Alternative",
            "Products_ItemName": "Alternative Women's Alice Drop Shoulder V-Neck",
            "Users_Name": "Chelsea Mccormick",
            "Users_Email": "example@gmail.com"
        }, 
        {
            "OrderItems_Id": 63757,
            "OrderItems_OrderId": 58557, 
            "OrderItems_Status": "Cancelled", 
            "OrderItems_CreatedDate": "2019-04-19",
            "OrderItems_SalePrice": 49.5,
            "Products_Brand": "Lucky Brand",
            "Products_ItemName": "Lucky Brand Women's Plus-Size Moroccan Medallion Tee",
            "Users_Name": "Darrell Nelson",
            "Users_Email": "example@aol.com"
        }
    ]
}
Human Readable Output

Results for look Look 1

LookerResults.Results.OrderItems_Id LookerResults.Results.OrderItems_OrderId LookerResults.Results.OrderItems_Status LookerResults.Results.OrderItems_CreatedDate LookerResults.Results.OrderItems_SalePrice LookerResults.Results.Products_Brand LookerResults.Results.Products_ItemName LookerResults.Results.Users_Name LookerResults.Results.Users_Email
160086 153797 Complete 2019-04-02 54 Alternative Alternative Women’s Alice Drop Shoulder V-Neck Chelsea Mccormick example.gmail.com
63757 58557 Cancelled 2019-04-19 49.5 Lucky Brand Lucky Brand Women’s Plus-Size Moroccan Medallion Tee Darrell Nelson example.gmail.com

This command has dynamic output keys.
To access them in the context, copy the key’s path from the column header in the results table.

2. Search for saved looks


Retrieves saved looks that match the search criteria.

Base Command

looker-search-looks

Input
Argument Name Description Required
name Match look name. Optional
space_id Filter results by a particular space. Optional
user_id Filter by dashboards created by a particular user. Optional
limit Maximum number of looks to return (0 for looker-determined limit). Optional

Context Output
Path Type Description
Looker.Look.ID Number Look ID.
Looker.Look.Name String Look name.
Looker.Look.SpaceID Number ID of the space that contains the look.
Looker.Look.SpaceName String Name of the space that contains the look.
Looker.Look.LastUpdated Date The time that the look was last updated.

Command Example
!looker-search-looks limit="2"
Context Example
"Looker": {
    "Look": {
        [
            {
                "ID": 3,
                "LastUpdated": "2019-04-10T16:11:43.249Z",
                "Name": "Look 1",
                "SpaceID": 6,
                "SpaceName": "Space 1"
            },
            {
                "ID": 4,
                "LastUpdated": "2019-04-16T11:41:57.482Z",
                "Name": "Look 2",
                "SpaceID": 7,
                "SpaceName": "Space 2"
            }
        ]
    }
}
Human Readable Output

Look search results

ID Name SpaceID SpaceName LastUpdated
3 Look 1 6 Space 1 2019-04-10T16:11:43.249Z
4 Look 2 7 Space 2 2019-04-16T11:41:57.482Z

3. Run an inline query


Runs a query by defining it in the command arguments, rather than a saved query in looker.

Base Command

looker-run-inline-query

Input
Argument Name Description Required
model Name of the model - can be found in the explore’s URL Required
view Name of the view or explore. Can be found in the explore’s URL. Required
fields List of fields to display. (Field name format: “object_name.field_name”). Optional
filters Filters for the query, passed as a comma-separated list with the format: “field name=filter value;…” (Field name format: “object_name.field_name”). Optional
pivots List of pivots. (Field name format: “object_name.field_name”). Optional
sorts Sorting for the query results. (Field name format: “object_name.field_name”). Optional
limit Maximum number of looks to return (0 for looker-determined limit). Optional
result_format Format of the result. Required

Context Output
Path Type Description
LookerResults.InlineQuery Unknown Inline query results.

Command Example
looker-run-inline-query model="thelook" view="order_items" fields="order_items.status, order_items.order_id, products.brand" filters="products.brand=Ray-Ban, Calvin Klein" limit="2" result_format="json"
Context Example
"LookerResults": {
        "InlineQuery": [
            {
                "OrderItems_OrderId": 5704, 
                "OrderItems_Status": "Cancelled", 
                "Products_Brand": "Ray-Ban"
            }, 
            {
                "OrderItems_OrderId": 1535, 
                "OrderItems_Status": "Cancelled", 
                "Products_Brand": "Ray-Ban"
            }
        ]
    }
Human Readable Output

Inline Query Results

LookerResults.InlineQuery.OrderItems_Status LookerResults.InlineQuery.OrderItems_OrderId LookerResults.InlineQuery.Products_Brand
Cancelled 5704 Ray-Ban
Cancelled 1535 Ray-Ban

4. Create a look


Creates a look from a query

Base Command

looker-create-look

Input
Argument Name Description Required
model Name of the model. Can be found in the explore’s URL. Required
view Name of the view or Explore. Can be found in the explore’s URL. Required
fields List of fields to display. (Field name format: “object_name.field_name”). Optional
filters Filters for the query, passed as a comma-separated list with the format: “field name=filter value;…” (Field name format: “object_name.field_name”). Optional
pivots List of pivots. (Field name format: “object_name.field_name”). Optional
sorts Sorting for the query results. (Field name format: “object_name.field_name”). Optional
look_title Title of the look. Required
look_description Description of the look. Optional
look_space_id ID of the space that will contain the look. Required

Context Output
Path Type Description
Looker.Look.ID Number Look ID.
Looker.Look.Name String Look name.
Looker.Look.SpaceID Number ID of the space that contains the look.
Looker.Look.SpaceName String Name of the space that contains the look.
Looker.Look.LastUpdated Date The time that the look was last updated.

This command has dynamic output keys.
To access them in the context, copy the key’s path from the column header in the results table.

Command Example
looker-run-inline-query model="thelook" view="order_items" fields="order_items.status, order_items.order_id, products.brand" filters="products.brand=Ray-Ban, Calvin Klein" limit="2" result_format="json" look_space_id=6 look_title="Look 3" look_description="This is my third saved look"
Context Example
"Looker": {
    "Look": {
        "ID": 7,
        "LastUpdated": "2019-04-10T16:11:43.249Z",
        "Name": "Look 3",
        "SpaceID": 6,
        "SpaceName": "Space 1"
    }
}
Human Readable Output

Look “Look 3” created successfully

ID Name SpaceID SpaceName LastUpdated
7 Look 3 6 Space 1 2019-04-10T16:11:43.249Z