cancel
Showing results for 
Search instead for 
Did you mean: 

qryExecuteGrouped API

I'm trying to perform a grouped query using the REST API, for example I would like to fetch the amount of events with a certain source IP

The query I'm using is:

qryExecuteGrouped?queryType=EVENT&groupType=COUNT

({

        "config": {

            "timeRange": "LAST_HOUR",

            "fields": [{"name": "SrcIP"}],

            "filters": [{

                'values': [{

                    'value': "172.16.105.100",

                    'type': 'EsmBasicValue'

                }],

                'type': 'EsmFieldFilter',

                'operator': 'EQUALS',

                'field': {'name': 'SrcIP'}}]

}}

However, the response is a filter error

Error executing query, filterString=Alert.LastTime[$Last,?Hour,DV,DV]#Alert.SrcIP[172.16.105.100] (ERROR_InvalidFilter (228))

Does anyone knows what the issue could be?

3 Replies

Re: qryExecuteGrouped API

Probably not an issue for you anymore, but I have been working through a similar issue and believe one problem is the JSON syntax for the filter. Try this:

{
  "config": {
    "timeRange": "LAST_HOUR",
    "fields": [
      {
        "name": "SrcIP"
      }
    ],
    "filters": [
      {
        "field": {
          "name": "SrcIP"
        },
        "operator": "EQUALS",
        "values": [
          {
            "value": "172.16.105.100",
            "type": "EsmBasicValue"
          }
        ],
        "type": "EsmFieldFilter"
      }
    ]
  }
}

I haven't tried it on my ESM, but it checks out on a JSON code validator. If it doesn't help the OP, hopefully this helps some other person trying to scour the inernet for examples of qryExecuteGrouped like me.

Re: qryExecuteGrouped API

When I ran this on ESM (10.3.2) it generated the following error:

"An IPSID filter must be specified when issuing a grouped query"

This can be fixed by adding the appropriate IPSID filter for the device. Here is updated code with an example - please note that your IPSID value will be different.

	{
        "config": {
            "timeRange": "LAST_HOUR",
            "fields": [
					{
					"name": "SrcIP"
					}
			],
            "filters": [
                {
                "field":{
                            "name":  "IPSID"
                        },
                "operator":  "EQUALS",
                "values":  [
                    {
                    "value":  "111111111111111111",
                    "type":  "EsmBasicValue"
                    }
                ],
                "type":  "EsmFieldFilter"
                },
				{
				"field": {
							"name": "SrcIP"
						},
				"operator": "EQUALS",
                "values": [
					{
                    "value": "172.16.105.100",
                    "type": "EsmBasicValue"
					}
				],
				"type": "EsmFieldFilter"
                }
			]
		}
	}

This fixes all of the field filter errors on my ESM, but now I get a new error:

"Couldn't find required information for field name SrcIP, check that the field name is valid."

Unfortunately I haven't found a fix for this one. I have tried all sorts of field names and references, nothing seems to work. Have an open case with support trying to resolve it. 

Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 4 of 4

Re: qryExecuteGrouped API

Yeah, 

I see the issue here, I did have similar issues while wiring up a customer portal to the SIEM. The new API (REST v2) is still under active development, so it is possible things change from under your feet as version are updated.

Some documentation seems to be missing regarding the querying of data. The following should work correctly. Ensure you post the correct authentication and json type headers as well.

https://<host>/rs/esm/v2/qryExecuteGrouped?queryType=EVENT&groupType=COUNT
{  
   "config":{  
      "timeRange":"LAST_HOUR",
      "fields":[  
         {  
            "name":"SrcIP",
            "table":"Alert",
            "typeBits":17,
            "id":null
         }
      ],
      "filters":[  
         {  
            "field":{  
               "name":"IPSID"
            },
            "operator":"EQUALS",
            "values":[  
               {  
                  "value":"111111111111111111",
                  "type":"EsmBasicValue"
               }
            ],
            "type":"EsmFieldFilter"
         },
         {  
            "type":"EsmFieldFilter",
            "field":{  
               "name":"SrcIP"
            },
            "operator":"EQUALS",
            "values":[  
               {  
                  "type":"EsmBasicValue",
                  "value":"172.16.105.100"
               }
            ]
         }
      ]
   }
}

Best

Brent
More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

    • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center