Security

Expand all | Collapse all

API Query Examples

Jump to Best Answer
  • 1.  API Query Examples

    Posted Thu March 14, 2019 05:40 PM

    Hi Folks , while using the Query End Point in API in Resilient can we use
    the multiple conditions using AND as outlined below.

    Wondering if you have examples already that can be shared to review.

    Please note that Query tested with single condition and works.

    Thanks!

    #1

    {
    "filters": [{
    "conditions": [{
    "field_name": "plan_status",
    "method": "equals",
    "value": "C" AND

    "field_name": "inc_id
    "method": "containedIn",
    "value": "(45678,47654,45694)"
    }]
    }],
    "sorts": [{
    "field_name": "name",
    "type": "asc"
    }]
    }

     #2

    {
    "filters": [{
    "conditions": [{
    "field_name": "plan_status",
    "method": "equals",
    "value": "C" AND

    "field_name": "inc_id
    "method": "equals",
    "value": "45678"
    }]
    }],
    "sorts": [{
    "field_name": "name",
    "type": "asc"
    }]
    }



    ------------------------------
    Anilkumar Kudidi
    ------------------------------


  • 2.  RE: API Query Examples
    Best Answer

    Posted Mon March 18, 2019 10:20 AM
    Hello Anilkumar,

    Thanks for posting question to this forum.

    Yes, you can put multiple conditions into the data payload of a POST. As you might notice already, the "conditions" field is a json list of dictionaries. So you can put multiple dictionaries into the list. An example like this works:
    {
    "filters":[{
    "conditions":[
    {
    "field_name":"id",
    "method":"equals",
    "value":2435
    },
    {
    "field_name":"properties.qradar_id",
    "method":"equals",
    "value":"23"
    }
    ]
    }]
    }​

    Here we have two filters, one for the incident id, and one for a custom field called qradar_id. Two points here.
    1. If it is a custom field, you need to use "properties._field_name", just like what shown above for qradar_id
    2. Make sure you use the correct data type for the "value".
    Also you can easily try this on interactive page (Help->Interactive REST API).

    Thanks,




    ------------------------------
    Yongjian Feng
    Software Developer
    Resilient IBM
    ------------------------------



  • 3.  RE: API Query Examples

    Posted Mon March 18, 2019 12:07 PM
    Also, in general it is better to use the query_paged endpoint. The query endpoint pulls all the incidents which could be huge. The query_paged endpoint gives you better control.

    ------------------------------
    Yongjian Feng
    ------------------------------



  • 4.  RE: API Query Examples

    Posted Wed March 20, 2019 10:49 AM
    What is the URL para ejecutar the query?
    POST /orgs/{org_id}/incidents/query

    I need to do something similar for a BI board.

    ------------------------------
    Juan Cruz Del Col
    ------------------------------



  • 5.  RE: API Query Examples

    Posted Wed March 20, 2019 01:04 PM
    Hello Juan,

    One easy way is to use our Interactive API (Help/Contact->Interactive REST API).
    Then go down and click IncidentREST.
    Click the query link:
    The URL is shown there. You can try the REST API directly here.

    Thanks,

    ------------------------------
    Yongjian Feng
    Software Developer
    Resilient IBM
    ------------------------------



  • 6.  RE: API Query Examples

    Posted Wed March 20, 2019 01:28 PM
    Yes, that's what I'm trying to do, but you know that I'm having an error when performing a test from the Postman:



    ------------------------------
    Juan Cruz Del Col
    ------------------------------



  • 7.  RE: API Query Examples

    Posted Wed March 20, 2019 01:52 PM
    Ah, I see.

    Look at the example I gave below. The "filters" is a list of dict, not a dict.
    ==== Example =====
    {
    "filters":[{
    "conditions":[
    {
    "field_name":"id",
    "method":"equals",
    "value":2435
    },
    {
    "field_name":"properties.qradar_id",
    "method":"equals",
    "value":"23"
    }
    ]
    }]
    }​

    ------------------------------
    Yongjian Feng
    ------------------------------



  • 8.  RE: API Query Examples

    Posted 20 days ago
    I have tried it and it works well with some fields, but I generate a field of type "selection" and it is not working for me.

    Send:
    {
      "filters": [
        {
          "conditions": [
            {
              "method": "equals",
              "field_name": "properties.cola_de_atencion",
              "type": "string",
              "value": "CRMC"
            }
          ]
        }
      ],
      "sorts": [
        {
          "field_name": "plan_status",
          "type": "desc"
        }
      ],
      "start": 0,
      "length": 0,
      "recordsTotal": 0
    }​


    Response:
    {
        "success": false,
        "title": null,
        "message": "Invalid type specified in query for equals condition. Expected unknown, but received string. Value is CRMC.",
        "hints": [],
        "error_code": "generic"
    }​
    Any suggestions?

    ------------------------------
    Juan Cruz Del Col
    ------------------------------



  • 9.  RE: API Query Examples

    Posted 19 days ago
    Edited by Howard Lu 19 days ago
    Hi Juan,

    First off, in your "conditions", you dont' specify the "type" field.  The documentation for "type" reads:
    The type for the condition. This property is for UI side use only, useful for storing unit of time in date time filters like (minutes, hours, days)
    So go ahead and omit it.

    Unfortunately, for a select field, you will need to specify the "id" of the value and not the name. 

    {
      "filters": [
        {
          "conditions": [
            {
              "method": "equals",
              "field_name": "properties.cola_de_atencion",
              "value": <ID>
            }
          ]
        }
      ],
      "sorts": [
        {
          "field_name": "plan_status",
          "type": "desc"
        }
      ],
      "start": 0,
      "length": 0,
      "recordsTotal": 0
    }



    You can lookup the "id" of your custom field value by accessing the Types REST endpoint. 
    https://<serverURL>/rest/orgs/<org_id>/types/incident/fields/cola_de_atencion

    and look at the "values" list.

    Hope this helps!

    ------------------------------
    Howard Lu
    ------------------------------



  • 10.  RE: API Query Examples

    Posted 18 days ago
    Edited by Juan Cruz Del Col 18 days ago
    Excellent, it worked perfectly. I had not noticed that the ID should be used as it is a selection field.

    Is it possible to make a condition by "between" dates?
    How would the date format be?

    For example, I need to obtain the same information that is shown in the report (image), but using a query via REST to send the data to a BI


    ------------------------------
    Juan Cruz Del Col
    ------------------------------



  • 11.  RE: API Query Examples

    Posted 18 days ago
    Hi Juan,

    Yes you can. The Resilient UI uses the same Resilient REST API.  So any conditions you see in the UI you can achieve using the REST API as well.

    In this case,

    {
      "filters": [
        {
          "conditions": [
            {
              "field_name": "create_date",
              "method": "gte",
              "value": 1546318800000
            },
            {
              "field_name": "create_date",
              "method": "lte",
              "value": 1554091200000
            }
          ]
        }
      ]
    }​


    you could put multiple conditions that the "create_date" is before a certain time, and after a certain time.  The time value here is the "epoch time" measured in milliseconds.  There are plenty of converters which will convert a human readable date into an epoch time.  e.g. https://www.epochconverter.com/


    Again, these values are in milliseconds, so make sure you use that.  In the code sample I pasted above, those times translate to Jan 1 and Apr 1 of 2019.

    Hope this is helpful!  Good luck.



    ------------------------------
    Howard Lu
    ------------------------------