cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
ziad1
Level 7
Report Inappropriate Content
Message 1 of 1

How to use EsmFilterGroup?

I'm using the SOAP API to issue some queries to Nitro ESM. I'd like to have a filter query on multiple columns (e.g. SrcPort = 123 OR DstPort = 80), or multiple values of the same column (e.g. DstPort = 23 OR DstPort = 514).

From the ESM API page, it seems that we need to use a EsmFilterGroup object. I have the following pseudo-code:

filter23 = new EsmFieldFilter()

filter23.setField("DstPort")

filter23.setValue("23")

filter23.setOperator(EQUALS)

filter514 = new EsmFieldFilter()

filter514.setField("DstPort")

filter514.setValue("514")

filter514.setOperator(EQUALS)

filterGroup = new EsmFilterGroup()

filterGroup.setLogic(OR)

filterGroup.getFilters.add(filter23)

filterGroup.getFilters.add(filter514)

config.getFilters.add(filterGroup)

However, I get an exception when I run the query (using qryExecuteDetail()😞

com.mcafee.siem.api.v2.EsmException: ERROR_SQLiFilterItem (255)

    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[na:1.7.0_25]

    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) ~[na:1.7.0_25]

    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[na:1.7.0_25]

    at java.lang.reflect.Constructor.newInstance(Constructor.java:526) ~[na:1.7.0_25]

    at com.sun.xml.internal.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:130) ~[na:1.7.0_25]

    at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:108) ~[na:1.7.0_25]

    at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:78) ~[na:1.7.0_25]

    at com.sun.xml.internal.ws.client.sei.SEIStub.invoke(SEIStub.java:129) ~[na:1.7.0_25]

    at com.sun.proxy.$Proxy35.qryExecuteDetail(Unknown Source) ~[na:na]

Note that I am able to successfully run a query with a single filter set (e.g. config.getFilters.add(filter4624)). What is the correct way of specifying multiple filters OR-ed together for a single query? 

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator