Synchronous Search API
Last updated on:
The API allows you to perform search against EventLog Analyzer.
When you perform a search with the synchronous search method, your query is sent to the EventLog Analyzer server, which will obtain all the results before returning it to you. The time taken for the process depends on the number of search results obtained.
Here are the steps involved in executing a synchronous search query:
- Create a search request with a set of relevant metadata.
- The server executes the request on the request thread and responds with the result.
- The server responds with cursor when more results are present.
- You can keep requesting with the next cursor to get the next result set. This needs to be done until all search hits are consumed and the server doesn't send a cursor back.
- EventLog Analyzer's cursor stays live for five minutes, if not used.
Request URL
Request Header
| Header name | Value | Mandatory | Description |
|---|---|---|---|
| Authorization | Bearer {{AuthToken}} | Yes | AuthToken generated from API Settings page.
e.g: Bearer mdrkoda0odmtmznloc00ndziltg0mgutmwzkztljmjvmzwmx |
Request Parameters
The request needs to be sent in the body of the request using JSON format. And should contain following key/value parameters
| Parameter name | Default value | Mandatory | Type | Description |
|---|---|---|---|---|
| query | * | No | String | Start value of the list |
| hosts | all | No | JSONArray | List of hosts to search |
| groups | all | No | JSONArray | List of device groups to search |
| from | current time - 24 hours | No | Long | Start time for search in Unix milliseconds |
| to | current time | No | Long | End time for search in Unix milliseconds |
| cursor | - | No | String | Cursor from next query |
- When the cursor is passed, the other parameters are not required.
- Quotes i.e ( " ") in query string should to be escaped. If query in EventLog Analyzer's search page is REMOTE_INTERFACE = "switch 1", then for Rest Api the query parameter should be written as "REMOTE_INTERFACE = \"switch 1\""
Response
The response will be a JSON object which will contain the following key/value pairs
| Parameter name | Description |
|---|---|
| hits | JSON object which contain search hits for the request
Contains following fields |
Example usage using cURL
i) Search request with query
Sample request
curl --location --request POST 'http://localhost:8095/RestAPI/v1/search' \ -H "Accept: application/json" -H "Authorization: Bearer mdrkoda0odmtmznloc00ndziltg0mgutmwzkztljmjvmzwmx " --data-raw '{ "query": "EVENTID = 16384 AND USERNAME = mhtoc", "hosts": [1, 2, 601], "groups": [3], "from": 1643480792000, "to": 1643480479500 }'
Sample response:
{ "cursor": "DnF1ZXJ5VGhlbkZldGNoFwAAAAAAAARoFlloajVvRlN5UlQ2RGVTWlhPS2V1WHcAA", "hits": { "hits": [{ "COMMON_SEVERITY": "INFORMATION", "IS_THROWAWAY": true, "HOSTNAME": "lix", "APPID": 2, "FORMATID": 302, "RAWLOG": "roy.sulivan /event/emberAPI/ELANotificationActions \"https://eventlog.loin64; x64; rv:71.0) Gecko/20100101 Firefox/71.0\"", "TIME": "1643531422443", "IMPORTED_TIME": 1643531420365, "HOSTID": 601, "IPAddress2": "10.128.156.152" }, { "COMMON_SEVERITY": "INFORMATION", "IS_THROWAWAY": true, "HOSTNAME": "lix", "APPID": 2, "FORMATID": 302, "RAWLOG": "roy.sulivan /event/emberAPI/ELANotificationActions \"https://eventlog.l 15 142 200 \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0\"", "TIME": "1643531422446", "IPAddress1": "10.128.156.152", "HOSTID": 601, "IPAddress2": "10.128.156.152" }], "hits_count_in_current_page": 3 } }
ii) Search request with cursor
Sample request
curl --location --request POST 'http://localhost:8095/RestAPI/v1/search' \ -H "Accept: application/json" -H "Authorization: Bearer mdrkoda0odmtmznloc00ndziltg0mgutmwzkztljmjvmzwmx " --data-raw '{ "cursor": "DnF1ZXJ5VGhlbkZldGNoFwAAAAAAAARoFlloajVvRlN5UlQ2RGVTWlhPS2V1WHcAA" }'
Sample response:
{ "hits": { "hits": [{ "COMMON_SEVERITY": "INFORMATION", "IS_THROWAWAY": true, "HOSTNAME": "lix", "APPID": 2, "FORMATID": 302, "RAWLOG": "roy.sulivan /event/emberAPI/ELANotificationActions \"https://eventlog.loin64; x64; rv:71.0) Gecko/20100101 Firefox/71.0\"", "TIME": "1643531422443", "IMPORTED_TIME": 1643531420365, "HOSTID": 601, "IPAddress2": "10.128.156.152" }, { "COMMON_SEVERITY": "INFORMATION", "IS_THROWAWAY": true, "HOSTNAME": "lix", "APPID": 2, "FORMATID": 302, "RAWLOG": "roy.sulivan /event/emberAPI/ELANotificationActions \"https://eventlog.l 15 142 200 \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0\"", "TIME": "1643531422446", "IPAddress1": "10.128.156.152", "HOSTID": 601, "IPAddress2": "10.128.156.152" }], "hits_count_in_current_page": 3 } }
iii) Invalid Search query
Sample request
curl --location --request POST 'http://localhost:8095/RestAPI/v1/search' \ -H "Accept: application/json" -H "Authorization: Bearer mdrkoda0odmtmznloc00ndziltg0mgutmwzkztljmjvmzwmx " --data-raw '{ "query": "EVENTID := 16384 AND USERNAME <> mhtoc", "hosts": [1, 2, 601], "groups": [3], "from": 1643480792000, "to": 1643480479500 }'
Sample response:
{
"ERROR": "SR007",
"ERROR_DESCRIPTION": "QUERY NOT VALID",
"ERRORS" : {
"context": "Failed to build query",
"cause": {
"reason": "Encountered \" \":\" \": \"\" at line 1, column 159.\r\nWas expecting one of:\r\n
Example usage using Postman (Third party tool)
i) Search request with query
ii) Search request with cursor
iii) Invalid query
