cancel
Showing results for 
Search instead for 
Did you mean: 

qryExecuteGrouped API

I'm trying to perform a grouped query using the REST API, for example I would like to fetch the amount of events with a certain source IP

The query I'm using is:

qryExecuteGrouped?queryType=EVENT&groupType=COUNT

({

        "config": {

            "timeRange": "LAST_HOUR",

            "fields": [{"name": "SrcIP"}],

            "filters": [{

                'values': [{

                    'value': "172.16.105.100",

                    'type': 'EsmBasicValue'

                }],

                'type': 'EsmFieldFilter',

                'operator': 'EQUALS',

                'field': {'name': 'SrcIP'}}]

}}

However, the response is a filter error

Error executing query, filterString=Alert.LastTime[$Last,?Hour,DV,DV]#Alert.SrcIP[172.16.105.100] (ERROR_InvalidFilter (228))

Does anyone knows what the issue could be?

4 Replies

Re: qryExecuteGrouped API

Probably not an issue for you anymore, but I have been working through a similar issue and believe one problem is the JSON syntax for the filter. Try this:

{
  "config": {
    "timeRange": "LAST_HOUR",
    "fields": [
      {
        "name": "SrcIP"
      }
    ],
    "filters": [
      {
        "field": {
          "name": "SrcIP"
        },
        "operator": "EQUALS",
        "values": [
          {
            "value": "172.16.105.100",
            "type": "EsmBasicValue"
          }
        ],
        "type": "EsmFieldFilter"
      }
    ]
  }
}

I haven't tried it on my ESM, but it checks out on a JSON code validator. If it doesn't help the OP, hopefully this helps some other person trying to scour the inernet for examples of qryExecuteGrouped like me.

Re: qryExecuteGrouped API

When I ran this on ESM (10.3.2) it generated the following error:

"An IPSID filter must be specified when issuing a grouped query"

This can be fixed by adding the appropriate IPSID filter for the device. Here is updated code with an example - please note that your IPSID value will be different.

	{
        "config": {
            "timeRange": "LAST_HOUR",
            "fields": [
					{
					"name": "SrcIP"
					}
			],
            "filters": [
                {
                "field":{
                            "name":  "IPSID"
                        },
                "operator":  "EQUALS",
                "values":  [
                    {
                    "value":  "111111111111111111",
                    "type":  "EsmBasicValue"
                    }
                ],
                "type":  "EsmFieldFilter"
                },
				{
				"field": {
							"name": "SrcIP"
						},
				"operator": "EQUALS",
                "values": [
					{
                    "value": "172.16.105.100",
                    "type": "EsmBasicValue"
					}
				],
				"type": "EsmFieldFilter"
                }
			]
		}
	}

This fixes all of the field filter errors on my ESM, but now I get a new error:

"Couldn't find required information for field name SrcIP, check that the field name is valid."

Unfortunately I haven't found a fix for this one. I have tried all sorts of field names and references, nothing seems to work. Have an open case with support trying to resolve it. 

Highlighted
Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 4 of 5

Re: qryExecuteGrouped API

Yeah, 

I see the issue here, I did have similar issues while wiring up a customer portal to the SIEM. The new API (REST v2) is still under active development, so it is possible things change from under your feet as version are updated.

Some documentation seems to be missing regarding the querying of data. The following should work correctly. Ensure you post the correct authentication and json type headers as well.

https://<host>/rs/esm/v2/qryExecuteGrouped?queryType=EVENT&groupType=COUNT
{  
   "config":{  
      "timeRange":"LAST_HOUR",
      "fields":[  
         {  
            "name":"SrcIP",
            "table":"Alert",
            "typeBits":17,
            "id":null
         }
      ],
      "filters":[  
         {  
            "field":{  
               "name":"IPSID"
            },
            "operator":"EQUALS",
            "values":[  
               {  
                  "value":"111111111111111111",
                  "type":"EsmBasicValue"
               }
            ],
            "type":"EsmFieldFilter"
         },
         {  
            "type":"EsmFieldFilter",
            "field":{  
               "name":"SrcIP"
            },
            "operator":"EQUALS",
            "values":[  
               {  
                  "type":"EsmBasicValue",
                  "value":"172.16.105.100"
               }
            ]
         }
      ]
   }
}

Best

Brent

Re: qryExecuteGrouped API

A quick update on this topic...
After working through it with support a bug was identified and opened and has been resolved in 10.4.0. I was able to successfully use the qryExecuteGrouped API after upgrading to 10.4.0. Here is a working filter (with generic values) that hopefully will help someone who was where I was a few months ago. This example contains several filter criteria that aren't necessary for a simpler filter set, but were included to show one way I was able to specify multiple criteria.

API:
https://hostname.domain/rs/esm/v2/qryExecuteGrouped?queryType=EVENT

 

{
    "config":  {
                   "timeRange":  "CUSTOM",
                   "filters":  [
                                   {
                                       "field":  {
                                                     "name":  "IPSID"
                                                 },
                                       "operator":  "IN",
                                       "values":  [
                                                      {
                                                          "value":  "1234567890123456789",
                                                          "type":  "EsmBasicValue"
                                                      }
                                                  ],
                                       "type":  "EsmFieldFilter"
                                   },
                                   {
                                       "field":  {
                                                     "name":  "FieldFilterID"
                                                 },
                                       "operator":  "IN",
                                       "values":  [
                                                      {
                                                          "value":  "FieldFilter1",
                                                          "type":  "EsmBasicValue"
                                                      },
                                                      {
                                                          "value":  "FieldFilter2",
                                                          "type":  "EsmBasicValue"
                                                      },
                                                      {
                                                          "value":  "FieldFilter3",
                                                          "type":  "EsmBasicValue"
                                                      },
                                                      {
                                                          "value":  "FieldFilter4",
                                                          "type":  "EsmBasicValue"
                                                      }
                                                  ],
                                       "type":  "EsmFieldFilter"
                                   }
                               ],
                   "customStart":  "2019-07-07T06:00:00",
                   "field":  {
                                 "name":  "Field_Name"
                             },
                   "customEnd":  "2019-07-08T06:00:00"
               }
}​

 

 

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community