cancel
Showing results for 
Search instead for 
Did you mean: 

qryExecuteGrouped API

I'm trying to perform a grouped query using the REST API, for example I would like to fetch the amount of events with a certain source IP

The query I'm using is:

qryExecuteGrouped?queryType=EVENT&groupType=COUNT

({

        "config": {

            "timeRange": "LAST_HOUR",

            "fields": [{"name": "SrcIP"}],

            "filters": [{

                'values': [{

                    'value': "172.16.105.100",

                    'type': 'EsmBasicValue'

                }],

                'type': 'EsmFieldFilter',

                'operator': 'EQUALS',

                'field': {'name': 'SrcIP'}}]

}}

However, the response is a filter error

Error executing query, filterString=Alert.LastTime[$Last,?Hour,DV,DV]#Alert.SrcIP[172.16.105.100] (ERROR_InvalidFilter (228))

Does anyone knows what the issue could be?

2 Replies

Re: qryExecuteGrouped API

Probably not an issue for you anymore, but I have been working through a similar issue and believe one problem is the JSON syntax for the filter. Try this:

{
  "config": {
    "timeRange": "LAST_HOUR",
    "fields": [
      {
        "name": "SrcIP"
      }
    ],
    "filters": [
      {
        "field": {
          "name": "SrcIP"
        },
        "operator": "EQUALS",
        "values": [
          {
            "value": "172.16.105.100",
            "type": "EsmBasicValue"
          }
        ],
        "type": "EsmFieldFilter"
      }
    ]
  }
}

I haven't tried it on my ESM, but it checks out on a JSON code validator. If it doesn't help the OP, hopefully this helps some other person trying to scour the inernet for examples of qryExecuteGrouped like me.

Re: qryExecuteGrouped API

When I ran this on ESM (10.3.2) it generated the following error:

"An IPSID filter must be specified when issuing a grouped query"

This can be fixed by adding the appropriate IPSID filter for the device. Here is updated code with an example - please note that your IPSID value will be different.

	{
        "config": {
            "timeRange": "LAST_HOUR",
            "fields": [
					{
					"name": "SrcIP"
					}
			],
            "filters": [
                {
                "field":{
                            "name":  "IPSID"
                        },
                "operator":  "EQUALS",
                "values":  [
                    {
                    "value":  "111111111111111111",
                    "type":  "EsmBasicValue"
                    }
                ],
                "type":  "EsmFieldFilter"
                },
				{
				"field": {
							"name": "SrcIP"
						},
				"operator": "EQUALS",
                "values": [
					{
                    "value": "172.16.105.100",
                    "type": "EsmBasicValue"
					}
				],
				"type": "EsmFieldFilter"
                }
			]
		}
	}

This fixes all of the field filter errors on my ESM, but now I get a new error:

"Couldn't find required information for field name SrcIP, check that the field name is valid."

Unfortunately I haven't found a fix for this one. I have tried all sorts of field names and references, nothing seems to work. Have an open case with support trying to resolve it. 

Member Rewards
McAfee Community rewards active and helpful members just like you. Click here to take a look at the first community members who received a special reward and were recognized by McAfee leader, Aneel Jaeel, for their participation and trusted knowledge in the community.