cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
mrmatt
Level 7
Report Inappropriate Content
Message 1 of 4

EPO API Where Clause

I've been trying to run this query with two where clauses with no luck. I can run each where statement separately, but when I combine them the page simply returns "OK: " with no data. Can anyone offer any help? Here is my current query, I'd like to return all events for a specific user for the last 90 days:

https://EPOServer:port/remote/core.executeQuery?target=DLP_EventView&:output=terse&select=(select DLP_EventView.EventRowID DLP_EventView.EventType DLP_EventView.LocalTime DLP_EventView.UTCTime DLP_EventView.Score DLP_EventView.FocusDisplay DLP_EventView.RuleIDSet_DisplayName DLP_EventView.ApplicationSet_DisplayName DLP_EventView.ProcessInfo_Product DLP_EventView.ProcessInfo_FileName DLP_EventView.ProcessInfo_MD5 DLP_EventView.LabelSet_DisplayName DLP_EventView.TagSet_DisplayName DLP_EventView.ComputerName DLP_EventView.UserName DLP_EventView.Policy_Name DLP_EventView.Policy_DateModified DLP_EventView.AgentVersion DLP_EventView.EvidenceLocationPrefix DLP_EventView.TotalNumberOfCategoriesAndTags DLP_EventView.EventType_Administrative DLP_EventView.TotalNumberOfHits DLP_EvidenceTypeAndValue.EvidenceType  DLP_EvidenceTypeAndValue.EvidenceValue)&where=(and (contains DLP_EventView.UserName "user.name") (newerThan DLP_EventView.InsertionTime 7776000))

3 Replies
apoling
Level 14
Report Inappropriate Content
Message 2 of 4

Re: EPO API Where Clause

Hi,

not sure of this, but I think an additonal WHERE might be missing from the combined statement.

I would try this:

&where=(where (and (contains DLP_EventView.UserName "user.name") (newerThan DLP_EventView.InsertionTime 7776000)))

instead of this:

&where=(and (contains DLP_EventView.UserName "user.name") (newerThan DLP_EventView.InsertionTime 7776000))

the reason might be is that first "where" is the http "where" and the new "where" is submitted to the SELECT clause.

Told you, not sure of this, but according to the WebAPI guide, another WHERE is needed within the expression. See ex. p31.

(Also I would use a SELECT * first until I got sure the statement is working, then add the actual field names to display.)

mrmatt
Level 7
Report Inappropriate Content
Message 3 of 4

Re: EPO API Where Clause

Hi. I tried your suggestion but the result is the same - the page that is returned only says "OK:" with no data.

apoling
Level 14
Report Inappropriate Content
Message 4 of 4

Re: EPO API Where Clause

Hi,

I'm using cURL with webAPI, and there is a sort of debug mode, by enabling

   --trace FILE    Write a debug trace to the given file

command. sometimes  helps, showing where the command has stuck.

Try it with cURL.

In additon: have you tried running the combined statement in the ePO GUI (if applicable)?

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

    • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center