Synchronous Alerts API
Last updated on:
The API allows you to retrieval of alert data via EventLog Analyzer.
When you perform an api call with the synchronous alert method, your query will be sent to the EventLog Analyzer server, which will obtain all the results before returning it to you. The total time taken for the process depends on the number of search results obtained.
Here are the steps involved to execute a synchronous alert query:
- Create an alert request with a set of relevant metadata.
- The server executes the request on the request thread and responds with the result.
- The server responds with cursor when there are additional results to be displayed other than the predefined number of results that are displayed.
- You can keep requesting with the next cursor to get the next set of results. This needs to be done until all alert hits are consumed and the server doesn't send a cursor back.
- EventLog Analyzer's cursor stays live for five minutes, if not used.
Request URL
Request Header
| Header name | Value | Mandatory | Description |
|---|---|---|---|
| Authorization | Bearer {{AuthToken}} | Yes | AuthToken generated from API Settings page.
e.g: |
Request Parameters
The request needs to be sent in the body of the request using JSON format. And should contain following key/value parameters
| Parameter name | Default value | Mandatory | Type | Description |
|---|---|---|---|---|
| query | * | No | String | Start value of the list |
| alert_profiles | all | No | JSONArray | List of alert profiles |
| severity | all | No | JSONArray | List of severity |
| status | all | No | JSONArray | List of status |
| from | current time - 24 hours | No | Long | Start time for search in Unix milliseconds |
| to | current time | No | Long | End time for search in Unix milliseconds |
| cursor | - | No | String | Cursor from next query |
- When the cursor is passed, the other parameters are not required.
- Quotes i.e ( " ") in query string should to be escaped. If query in EventLog Analyzer's search page is REMOTE_INTERFACE = "switch 1", then for Rest Api the query parameter should be written as "REMOTE_INTERFACE = \"switch 1\""
Response
The response will be a JSON object which will contain the following key/value pairs
| Parameter name | Description |
|---|---|
| hits | JSON object which contain alert hits for the request
Contains following fields |
Example usage using cURL
i) Search request with query
Sample request
curl --location --request POST 'http://localhost:8095/RestAPI/v1/alerts' \ -H "Accept: application/json" -H "Authorization: Bearer mdrkoda0odmtmznloc00ndziltg0mgutmwzkztljmjvmzwmx " --data-raw '{ "query": "EVENTID = 16384 AND USERNAME = mhtoc", "alert_profiles": [1, 2, 601], "severity": ["CRITICAL"], "status": ["OPEN"], "from": 1643480792000, "to": 1643480479500 }'
Sample response:
{ "cursor": "DnF1ZXJ5VGhlbkZldGNoFwAAAAAAAARoFlloajVvRlN5UlQ2RGVTWlhPS2V1WHcAA", "hits": { "hits": [{ "COMMON_SEVERITY": "INFORMATION", "IS_THROWAWAY": true, "HOSTNAME": "lix", "APPID": 2, "FORMATID": 302, "RAWLOG": "roy.sulivan /event/emberAPI/ELANotificationActions \"https://eventlog.loin64; x64; rv:71.0) Gecko/20100101 Firefox/71.0\"", "TIME": "1643531422443", "IMPORTED_TIME": 1643531420365, "HOSTID": 601, "IPAddress2": "10.128.156.152", "Alert Profile": "Alert profile 1" }, { "COMMON_SEVERITY": "INFORMATION", "IS_THROWAWAY": true, "HOSTNAME": "lix", "APPID": 2, "FORMATID": 302, "RAWLOG": "roy.sulivan /event/emberAPI/ELANotificationActions \"https://eventlog.l 15 142 200 \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0\"", "TIME": "1643531422446", "IPAddress1": "10.128.156.152", "HOSTID": 601, "IPAddress2": "10.128.156.152", "Alert Profile": "Alert profile 1" }], "hits_count_in_current_page": 3 } }
ii) Search request with cursor
Sample request
curl --location --request POST 'http://localhost:8095/RestAPI/v1/alerts' \ -H "Accept: application/json" -H "Authorization: Bearer mdrkoda0odmtmznloc00ndziltg0mgutmwzkztljmjvmzwmx " --data-raw '{ "cursor": "DnF1ZXJ5VGhlbkZldGNoFwAAAAAAAARoFlloajVvRlN5UlQ2RGVTWlhPS2V1WHcAA" }'
Sample response:
{ "hits": { "hits": [{ "COMMON_SEVERITY": "INFORMATION", "IS_THROWAWAY": true, "HOSTNAME": "lix", "APPID": 2, "FORMATID": 302, "RAWLOG": "roy.sulivan /event/emberAPI/ELANotificationActions \"https://eventlog.loin64; x64; rv:71.0) Gecko/20100101 Firefox/71.0\"", "TIME": "1643531422443", "IMPORTED_TIME": 1643531420365, "HOSTID": 601, "IPAddress2": "10.128.156.152", "Alert Profile": "Alert profile 1" }, { "COMMON_SEVERITY": "INFORMATION", "IS_THROWAWAY": true, "HOSTNAME": "lix", "APPID": 2, "FORMATID": 302, "RAWLOG": "roy.sulivan /event/emberAPI/ELANotificationActions \"https://eventlog.l 15 142 200 \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0\"", "TIME": "1643531422446", "IPAddress1": "10.128.156.152", "HOSTID": 601, "IPAddress2": "10.128.156.152", "Alert Profile": "Alert profile 1" }], "hits_count_in_current_page": 3 } }
iii) Invalid Search query
Sample request
curl --location --request POST 'http://localhost:8095/RestAPI/v1/alerts' \ -H "Accept: application/json" -H "Authorization: Bearer mdrkoda0odmtmznloc00ndziltg0mgutmwzkztljmjvmzwmx " --data-raw '{ "query": "EVENTID := 16384 AND USERNAME <> mhtoc", "alert_profiles": [1, 2, 601], "severity": ["CRITICAL"], "status": ["OPEN"], "from": 1643480792000, "to": 1643480479500 }'
Sample response:
{
"ERROR": "SR007",
"ERROR_DESCRIPTION": "QUERY NOT VALID",
"ERRORS" : {
"context": "Failed to build query",
"cause": {
"reason": "Encountered \" \":\" \": \"\" at line 1, column 159.\r\nWas expecting one of:\r\n
Example usage using Postman (Third party tool)
i) Search request with query
ii) Search request with cursor
iii) Invalid query
