icon-pdfDownload PDF lhs-panel
lhs-panel Click here to expand

Synchronous Search API

The API allows you to perform search against EventLog Analyzer.

When you perform a search with the synchronous search method, your query is sent to the EventLog Analyzer server, which will obtain all the results before returning it to you. The time taken for the process depends on the number of search results obtained.

Here are the steps involved in executing a synchronous search query:

  • Create a search request with a set of relevant metadata.
  • The server executes the request on the request thread and responds with the result.
  • The server responds with cursor when more results are present.
  • You can keep requesting with the next cursor to get the next result set. This needs to be done until all search hits are consumed and the server doesn't send a cursor back.
  • EventLog Analyzer's cursor stays live for five minutes, if not used.

Request URL

POST http://hostname:8400/RestAPI/v1/search

Request Header

Header name Value Mandatory Description
Authorization Bearer {{AuthToken}} Yes AuthToken generated from API Settings page.

e.g: Bearer mdrkoda0odmtmznloc00ndziltg0mgutmwzkztljmjvmzwmx

Request Parameters

The request needs to be sent in the body of the request using JSON format. And should contain following key/value parameters

Parameter name Default value Mandatory Type Description
query * No String Start value of the list
hosts all No JSONArray List of hosts to search
groups all No JSONArray List of device groups to search
from current time - 24 hours No Long Start time for search in Unix milliseconds
to current time No Long End time for search in Unix milliseconds
cursor - No String Cursor from next query
Note:
  1. When the cursor is passed, the other parameters are not required.
  2. Quotes i.e ( " ") in query string should to be escaped. If query in EventLog Analyzer's search page is REMOTE_INTERFACE = "switch 1", then for Rest Api the query parameter should be written as "REMOTE_INTERFACE = \"switch 1\""

Response

The response will be a JSON object which will contain the following key/value pairs

Parameter name Description
hits JSON object which contain search hits for the request

Contains following fields
hits: List of search hits
hits_count_in_current_page: Hits count in current search response

Example usage using cURL

i) Search request with query

Sample request

Copy to Clipboard

curl --location --request POST 'http://localhost:8400/RestAPI/v1/search' \ -H "Accept: application/json" -H "Authorization: Bearer mdrkoda0odmtmznloc00ndziltg0mgutmwzkztljmjvmzwmx " --data-raw '{ "query": "EVENTID = 16384 AND USERNAME = mhtoc", "hosts": [1, 2, 601], "groups": [3], "from": 1643480792000, "to": 1643480479500 }'

Sample response:

Copy to Clipboard

{ "cursor": "DnF1ZXJ5VGhlbkZldGNoFwAAAAAAAARoFlloajVvRlN5UlQ2RGVTWlhPS2V1WHcAA", "hits": { "hits": [{ "COMMON_SEVERITY": "INFORMATION", "IS_THROWAWAY": true, "HOSTNAME": "lix", "APPID": 2, "FORMATID": 302, "RAWLOG": "roy.sulivan /event/emberAPI/ELANotificationActions \"https://eventlog.loin64; x64; rv:71.0) Gecko/20100101 Firefox/71.0\"", "TIME": "1643531422443", "IMPORTED_TIME": 1643531420365, "HOSTID": 601, "IPAddress2": "10.128.156.152" }, { "COMMON_SEVERITY": "INFORMATION", "IS_THROWAWAY": true, "HOSTNAME": "lix", "APPID": 2, "FORMATID": 302, "RAWLOG": "roy.sulivan /event/emberAPI/ELANotificationActions \"https://eventlog.l 15 142 200 \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0\"", "TIME": "1643531422446", "IPAddress1": "10.128.156.152", "HOSTID": 601, "IPAddress2": "10.128.156.152" }], "hits_count_in_current_page": 3 } }

ii) Search request with cursor

Sample request

Copy to Clipboard

curl --location --request POST 'http://localhost:8400/RestAPI/v1/search' \ -H "Accept: application/json" -H "Authorization: Bearer mdrkoda0odmtmznloc00ndziltg0mgutmwzkztljmjvmzwmx " --data-raw '{ "cursor": "DnF1ZXJ5VGhlbkZldGNoFwAAAAAAAARoFlloajVvRlN5UlQ2RGVTWlhPS2V1WHcAA" }'

Sample response:

Copy to Clipboard

{ "hits": { "hits": [{ "COMMON_SEVERITY": "INFORMATION", "IS_THROWAWAY": true, "HOSTNAME": "lix", "APPID": 2, "FORMATID": 302, "RAWLOG": "roy.sulivan /event/emberAPI/ELANotificationActions \"https://eventlog.loin64; x64; rv:71.0) Gecko/20100101 Firefox/71.0\"", "TIME": "1643531422443", "IMPORTED_TIME": 1643531420365, "HOSTID": 601, "IPAddress2": "10.128.156.152" }, { "COMMON_SEVERITY": "INFORMATION", "IS_THROWAWAY": true, "HOSTNAME": "lix", "APPID": 2, "FORMATID": 302, "RAWLOG": "roy.sulivan /event/emberAPI/ELANotificationActions \"https://eventlog.l 15 142 200 \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0\"", "TIME": "1643531422446", "IPAddress1": "10.128.156.152", "HOSTID": 601, "IPAddress2": "10.128.156.152" }], "hits_count_in_current_page": 3 } }

iii) Invalid Search query

Sample request

Copy to Clipboard

curl --location --request POST 'http://localhost:8400/RestAPI/v1/search' \ -H "Accept: application/json" -H "Authorization: Bearer mdrkoda0odmtmznloc00ndziltg0mgutmwzkztljmjvmzwmx " --data-raw '{ "query": "EVENTID := 16384 AND USERNAME <> mhtoc", "hosts": [1, 2, 601], "groups": [3], "from": 1643480792000, "to": 1643480479500 }'

Sample response

Copy to Clipboard

{ "ERROR": "SR007", "ERROR_DESCRIPTION": "QUERY NOT VALID", "ERRORS" : { "context": "Failed to build query", "cause": { "reason": "Encountered \" \":\" \": \"\" at line 1, column 159.\r\nWas expecting one of:\r\n ...\r\n \"+\" ...\r\n \"-\" ...\r\n ...\r\n \"(\" ...\r\n \"*\" ...\r\n ...\r\n ...\r\n ...\r\n ...\r\n ...\r\n \"[\" ...\r\n \"{\" ...\r\n ...\r\n ...\r\n ", "type": "ParseException" } } }

Example usage using Postman (Third party tool)

i) Search request with query

Synchronous Search API

ii) Search request with cursor

Synchronous Search API

iii) Invalid query

Synchronous Search API

On this page

Copyright © 2020, ZOHO Corp. All Rights Reserved.

Get download link