3 Replies Latest reply on Sep 22, 2017 2:07 AM by Attila Polinger

    EPO API Where Clause

    mrmatt

      I've been trying to run this query with two where clauses with no luck. I can run each where statement separately, but when I combine them the page simply returns "OK: " with no data. Can anyone offer any help? Here is my current query, I'd like to return all events for a specific user for the last 90 days:

       

      https://EPOServer:port/remote/core.executeQuery?target=DLP_EventView&:output=ter se&select=(select DLP_EventView.EventRowID DLP_EventView.EventType DLP_EventView.LocalTime DLP_EventView.UTCTime DLP_EventView.Score DLP_EventView.FocusDisplay DLP_EventView.RuleIDSet_DisplayName DLP_EventView.ApplicationSet_DisplayName DLP_EventView.ProcessInfo_Product DLP_EventView.ProcessInfo_FileName DLP_EventView.ProcessInfo_MD5 DLP_EventView.LabelSet_DisplayName DLP_EventView.TagSet_DisplayName DLP_EventView.ComputerName DLP_EventView.UserName DLP_EventView.Policy_Name DLP_EventView.Policy_DateModified DLP_EventView.AgentVersion DLP_EventView.EvidenceLocationPrefix DLP_EventView.TotalNumberOfCategoriesAndTags DLP_EventView.EventType_Administrative DLP_EventView.TotalNumberOfHits DLP_EvidenceTypeAndValue.EvidenceType  DLP_EvidenceTypeAndValue.EvidenceValue)&where=(and (contains DLP_EventView.UserName "user.name") (newerThan DLP_EventView.InsertionTime 7776000))

        • 1. Re: EPO API Where Clause
          Attila Polinger

          Hi,

           

          not sure of this, but I think an additonal WHERE might be missing from the combined statement.

           

          I would try this:

          &where=(where (and (contains DLP_EventView.UserName "user.name") (newerThan DLP_EventView.InsertionTime 7776000)))

           

          instead of this:

          &where=(and (contains DLP_EventView.UserName "user.name") (newerThan DLP_EventView.InsertionTime 7776000))

           

          the reason might be is that first "where" is the http "where" and the new "where" is submitted to the SELECT clause.

           

          Told you, not sure of this, but according to the WebAPI guide, another WHERE is needed within the expression. See ex. p31.

           

          (Also I would use a SELECT * first until I got sure the statement is working, then add the actual field names to display.)

          • 2. Re: EPO API Where Clause
            mrmatt

            Hi. I tried your suggestion but the result is the same - the page that is returned only says "OK:" with no data.

            • 3. Re: EPO API Where Clause
              Attila Polinger

              Hi,

               

              I'm using cURL with webAPI, and there is a sort of debug mode, by enabling

               

                 --trace FILE    Write a debug trace to the given file

               

              command. sometimes  helps, showing where the command has stuck.

               

              Try it with cURL.

               

              In additon: have you tried running the combined statement in the ePO GUI (if applicable)?