Showing results for 
Search instead for 
Did you mean: 
Level 7

Getting empty results when using REST api query (ESM)

I'm using ESM (version 9.5.2, appliance)

Trying to integrate with REST API to fetch and query events in the SIEM.
I'm using the qryExecuteDetail API , I'm using simple query (no filters) to test I can fetch all events.

But i always get in the response body :

{"return": {

    "attributeColumn": 0,

    "countColumn": 0,

    "drilldownColumn": 1,

    "groupByString": "",

    "labelColumn": 0,

    "resultID": {"value": 140532958030616},

    "startTime": "03\/01\/2016 00:00:00",

    "stopTime": "03\/02\/2016 00:00:00",

    "totalResultID": {"value": 0},

    "totalRows": 0


Then If I try to use the qryGetResults api to fetch the results(using the last resultID) , I get 400 response code and this error in body :

ERROR_QueryResultNotAvailable (238)

Any idea? what i'm doing wrong?

0 Kudos
2 Replies

Re: Getting empty results when using REST api query (ESM)

Did you ever find an answer to this problem?

Currently have the same issue in 9.6.1

0 Kudos
Level 7

Re: Getting empty results when using REST api query (ESM)

I was getting the same issue, check the following:

1) poll the API to see if your results are ready (using qryGetStatus)

2) once your results are ready, proceed to fetch them, however, bear in mind that you can't "exit" your logon session with the API and then get the results: they only last as long as your session.

So if you want to get your results, you need to setup some sort of "while" loop in your script that will check qryGetStatus until a 100% value is reached, then fetch the results, all in the same scriptblock. That solved the issue for me, although I'm working with ESM 10.0.3

0 Kudos