I've been trying to run this query with two where clauses with no luck. I can run each where statement separately, but when I combine them the page simply returns "OK: " with no data. Can anyone offer any help? Here is my current query, I'd like to return all events for a specific user for the last 90 days:
https://EPOServer:port/remote/core.executeQuery?target=DLP_EventView&:output=terse&select=(select DLP_EventView.EventRowID DLP_EventView.EventType DLP_EventView.LocalTime DLP_EventView.UTCTime DLP_EventView.Score DLP_EventView.FocusDisplay DLP_EventView.RuleIDSet_DisplayName DLP_EventView.ApplicationSet_DisplayName DLP_EventView.ProcessInfo_Product DLP_EventView.ProcessInfo_FileName DLP_EventView.ProcessInfo_MD5 DLP_EventView.LabelSet_DisplayName DLP_EventView.TagSet_DisplayName DLP_EventView.ComputerName DLP_EventView.UserName DLP_EventView.Policy_Name DLP_EventView.Policy_DateModified DLP_EventView.AgentVersion DLP_EventView.EvidenceLocationPrefix DLP_EventView.TotalNumberOfCategoriesAndTags DLP_EventView.EventType_Administrative DLP_EventView.TotalNumberOfHits DLP_EvidenceTypeAndValue.EvidenceType DLP_EvidenceTypeAndValue.EvidenceValue)&where=(and (contains DLP_EventView.UserName "user.name") (newerThan DLP_EventView.InsertionTime 7776000))
not sure of this, but I think an additonal WHERE might be missing from the combined statement.
I would try this:
&where=(where (and (contains DLP_EventView.UserName "user.name") (newerThan DLP_EventView.InsertionTime 7776000)))
instead of this:
&where=(and (contains DLP_EventView.UserName "user.name") (newerThan DLP_EventView.InsertionTime 7776000))
the reason might be is that first "where" is the http "where" and the new "where" is submitted to the SELECT clause.
Told you, not sure of this, but according to the WebAPI guide, another WHERE is needed within the expression. See ex. p31.
(Also I would use a SELECT * first until I got sure the statement is working, then add the actual field names to display.)
I'm using cURL with webAPI, and there is a sort of debug mode, by enabling
--trace FILE Write a debug trace to the given file
command. sometimes helps, showing where the command has stuck.
Try it with cURL.
In additon: have you tried running the combined statement in the ePO GUI (if applicable)?
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center