cancel
Showing results for 
Search instead for 
Did you mean: 
mrmatt
Level 7
Report Inappropriate Content
Message 1 of 4

EPO API Where Clause

I've been trying to run this query with two where clauses with no luck. I can run each where statement separately, but when I combine them the page simply returns "OK: " with no data. Can anyone offer any help? Here is my current query, I'd like to return all events for a specific user for the last 90 days:

https://EPOServer:port/remote/core.executeQuery?target=DLP_EventView&:output=terse&select=(select DLP_EventView.EventRowID DLP_EventView.EventType DLP_EventView.LocalTime DLP_EventView.UTCTime DLP_EventView.Score DLP_EventView.FocusDisplay DLP_EventView.RuleIDSet_DisplayName DLP_EventView.ApplicationSet_DisplayName DLP_EventView.ProcessInfo_Product DLP_EventView.ProcessInfo_FileName DLP_EventView.ProcessInfo_MD5 DLP_EventView.LabelSet_DisplayName DLP_EventView.TagSet_DisplayName DLP_EventView.ComputerName DLP_EventView.UserName DLP_EventView.Policy_Name DLP_EventView.Policy_DateModified DLP_EventView.AgentVersion DLP_EventView.EvidenceLocationPrefix DLP_EventView.TotalNumberOfCategoriesAndTags DLP_EventView.EventType_Administrative DLP_EventView.TotalNumberOfHits DLP_EvidenceTypeAndValue.EvidenceType  DLP_EvidenceTypeAndValue.EvidenceValue)&where=(and (contains DLP_EventView.UserName "user.name") (newerThan DLP_EventView.InsertionTime 7776000))

3 Replies
apoling
Level 14
Report Inappropriate Content
Message 2 of 4

Re: EPO API Where Clause

Hi,

not sure of this, but I think an additonal WHERE might be missing from the combined statement.

I would try this:

&where=(where (and (contains DLP_EventView.UserName "user.name") (newerThan DLP_EventView.InsertionTime 7776000)))

instead of this:

&where=(and (contains DLP_EventView.UserName "user.name") (newerThan DLP_EventView.InsertionTime 7776000))

the reason might be is that first "where" is the http "where" and the new "where" is submitted to the SELECT clause.

Told you, not sure of this, but according to the WebAPI guide, another WHERE is needed within the expression. See ex. p31.

(Also I would use a SELECT * first until I got sure the statement is working, then add the actual field names to display.)

Highlighted
mrmatt
Level 7
Report Inappropriate Content
Message 3 of 4

Re: EPO API Where Clause

Hi. I tried your suggestion but the result is the same - the page that is returned only says "OK:" with no data.

apoling
Level 14
Report Inappropriate Content
Message 4 of 4

Re: EPO API Where Clause

Hi,

I'm using cURL with webAPI, and there is a sort of debug mode, by enabling

   --trace FILE    Write a debug trace to the given file

command. sometimes  helps, showing where the command has stuck.

Try it with cURL.

In additon: have you tried running the combined statement in the ePO GUI (if applicable)?

More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community