0 Replies Latest reply on Mar 4, 2015 3:41 PM by ziad1

    How to use EsmFilterGroup?

    ziad1

      I'm using the SOAP API to issue some queries to Nitro ESM. I'd like to have a filter query on multiple columns (e.g. SrcPort = 123 OR DstPort = 80), or multiple values of the same column (e.g. DstPort = 23 OR DstPort = 514).

       

      From the ESM API page, it seems that we need to use a EsmFilterGroup object. I have the following pseudo-code:

       

      filter23 = new EsmFieldFilter()

      filter23.setField("DstPort")

      filter23.setValue("23")

      filter23.setOperator(EQUALS)

       

      filter514 = new EsmFieldFilter()

      filter514.setField("DstPort")

      filter514.setValue("514")

      filter514.setOperator(EQUALS)

       

      filterGroup = new EsmFilterGroup()

      filterGroup.setLogic(OR)

      filterGroup.getFilters.add(filter23)

      filterGroup.getFilters.add(filter514)

       

      config.getFilters.add(filterGroup)

       

      However, I get an exception when I run the query (using qryExecuteDetail()):

       

      com.mcafee.siem.api.v2.EsmException: ERROR_SQLiFilterItem (255)

          at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[na:1.7.0_25]

          at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessor Impl.java:57) ~[na:1.7.0_25]

          at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructor AccessorImpl.java:45) ~[na:1.7.0_25]

          at java.lang.reflect.Constructor.newInstance(Constructor.java:526) ~[na:1.7.0_25]

          at com.sun.xml.internal.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder .java:130) ~[na:1.7.0_25]

          at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.j ava:108) ~[na:1.7.0_25]

          at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.j ava:78) ~[na:1.7.0_25]

          at com.sun.xml.internal.ws.client.sei.SEIStub.invoke(SEIStub.java:129) ~[na:1.7.0_25]

          at com.sun.proxy.$Proxy35.qryExecuteDetail(Unknown Source) ~[na:na]

       

       

      Note that I am able to successfully run a query with a single filter set (e.g. config.getFilters.add(filter4624)). What is the correct way of specifying multiple filters OR-ed together for a single query?