Parameter | Type | Default Value | Description |
---|---|---|---|
query |
string | [no filter] | The TinyQ language filter that specifies a subset of all available records. |
field |
string | not present | The name or names of fields whose values are to be returned. The field item may appear zero or more times in the URI query parameters. A single value of "[none]" indicates return only metadata. The absence of any field parameter indicates return all field values, |
page |
integer | 1 | The 1-based offset into the total records based on page size. Actual offset is (page - 1) * pagesize. |
pagesize |
integer | [unlimited] | The maximum number of object records to return as a result of the request. |
Object type: page | |
---|---|
A container for one or more objects in the result listing. There may be multiple pages in a listing if a page size is specified that is less than the total number of objects in the listing. | |
Field | Description |
next | A URL addressing the subsequent page of objects in the total set of available objects. |
objects | The list of objects returned in the page of results. |
prev | A URL addressing the previous page of objects in the total set of available objects. |
Object type: event-search | |
---|---|
An EventSearch object is used to create and event search job and to get the status of current search jobs. | |
Field | Description |
aggregate-obj | An "aggregating object" is a Sentinel object that has events associated with it. Current objects are Incidents and Correlated Events. Specifying an aggregating object restricts the results of the event search to only those events associated with the aggregating object. |
avail | The available count number indicates the total number of events that are currently available in the results that can be obtained from the search job. |
end | The end of the search date range specifies the latest date and time for which events will be returned. The end of the range is exclusive. |
fields | Fields is the set of event field names whose values are to be returned in the search results. Limiting the result fields can descrease the amount of data that must be transported. The special value "none" indicates that no field values are to be returned. An empty set indicates that all field values are to be returned. |
filter | The filter is the search query string that specifies the set of events that the event search job will return. |
found | The found count number indicates the total number of events found that match the search job parameters. |
InitiatingHostName | The hostname of the system that initiated the search job, if available. |
init-user | The name of the user that initiated the search job. This may be different than the Owner username if the search job is for a distributed search. |
ip | The IP address of the system from which the search job was initiated. |
job-end | The job end time is the time the search job finished. |
job-start | The job start time is the time the search job started running. |
last-accessed | The last accessed time is the last time the search job was accessed for the purposes of getting search results. |
max-results | The maximum results number specifies the maximum event objects that the search job will return. This may be less that the maximum event objects that match the search parameters. |
meta | The metadata for an object, including the object type name and the URL reference to the object. Definition |
owner | The owner link is a URL that is used to obtain the user object of the user which started the search job. The link will be empty for SYSTEM search jobs. |
pgsize | The page size specifies the number of event objects that will be returned in a single request for the results of the search job. |
results | The results link is a URL that is used to obtain the first page of the results of the search job. |
start | The start of the search date range specifies the earliest date and time for which events will be returned. The start of the range is inclusive. |
status | The status of a search job reflects the search job's current state. Values are: 0 (Pending), 1 (Running), 2 (Completed), 3 (Completed with Errors), 4 (Unavailable), 5 (Canceled), 6 (Access Denied). |
type | The type of a search job indicates the use for which the search job is started. Values are: "SYSTEM", an internal Sentinel job. "USER", started by a Sentinel user. "REPORT", used to obtain the results for use in a report. "DATASYNC", started to obtain results that will be synchronized from the event store to a relational database. "DIST", indicating a search started on behalf of a remote search console. |
Object type: meta | |
---|---|
The metadata for an object, including the object type name and the URL reference to the object. | |
Field | Description |
@href | The URL reference to the object. |
type | The name of the object type |
GET https://164.99.19.131:8443/SentinelRESTServices/objects/event-search?page=2&pagesize=1
{ "objects":[ { "meta":{ "type":"event-search", "@href":"https://164.99.19.131:8443/SentinelRESTServices/objects/event-search/Wildebeest" }, "InitiatingHostName":"jdoe_desktop.company.com", "status":2, "pgsize":125, "last-accessed":"2012-04-25T13:33:44.560Z", "avail":200000, "job-start":"2012-04-25T13:33:44.560Z", "type":"USER", "ip":"10.0.0.23", "aggregate-obj":{ "@href":"Wildebeest" }, "results":{ "@href":"https://164.99.19.131:8443/SentinelRESTServices/objects/event?query=_jobid_.eWildebeest&page=1&pagesize=125&field=dt&field=evt" }, "start":"2012-04-25T13:33:44.560Z", "max-results":42, "job-end":"2012-04-25T13:33:44.560Z", "init-user":"jdoe", "filter":"sev:4", "end":"2012-04-25T13:33:44.560Z", "fields":[ "dt", "evt" ], "found":1567345 } ], "prev":{ "@href":"https://164.99.19.131:8443/SentinelRESTServices/objects/event-search?pagesize=1&page=1" }, "next":{ "@href":"https://164.99.19.131:8443/SentinelRESTServices/objects/event-search?pagesize=1&page=3" } }
Object type: event-search | ||
---|---|---|
An EventSearch object is used to create and event search job and to get the status of current search jobs. | ||
Field | Required | Description |
aggregate-obj | false | An "aggregating object" is a Sentinel object that has events associated with it. Current objects are Incidents and Correlated Events. Specifying an aggregating object restricts the results of the event search to only those events associated with the aggregating object. |
end | false | The end of the search date range specifies the latest date and time for which events will be returned. The end of the range is exclusive. |
fields | false | Fields is the set of event field names whose values are to be returned in the search results. Limiting the result fields can descrease the amount of data that must be transported. The special value "none" indicates that no field values are to be returned. An empty set indicates that all field values are to be returned. |
filter | false | The filter is the search query string that specifies the set of events that the event search job will return. |
InitiatingHostName | false | The hostname of the system that initiated the search job, if available. |
init-user | false | The name of the user that initiated the search job. This may be different than the Owner username if the search job is for a distributed search. |
ip | false | The IP address of the system from which the search job was initiated. |
job-end | false | The job end time is the time the search job finished. |
job-start | false | The job start time is the time the search job started running. |
last-accessed | false | The last accessed time is the last time the search job was accessed for the purposes of getting search results. |
max-results | false | The maximum results number specifies the maximum event objects that the search job will return. This may be less that the maximum event objects that match the search parameters. |
pgsize | false | The page size specifies the number of event objects that will be returned in a single request for the results of the search job. |
start | false | The start of the search date range specifies the earliest date and time for which events will be returned. The start of the range is inclusive. |
type | false | The type of a search job indicates the use for which the search job is started. Values are: "SYSTEM", an internal Sentinel job. "USER", started by a Sentinel user. "REPORT", used to obtain the results for use in a report. "DATASYNC", started to obtain results that will be synchronized from the event store to a relational database. "DIST", indicating a search started on behalf of a remote search console. |
Object type: meta | ||
---|---|---|
The metadata for an object, including the object type name and the URL reference to the object. | ||
Field | Required | Description |
@href | false | The URL reference to the object. |
type | false | The name of the object type |
Object type: | |
---|---|
The metadata representation of the newly-created event-search object, including the URL reference to the new object. | |
Field | Description |
meta | The metadata for an object, including the object type name and the URL reference to the object. Definition |
Object type: meta | |
---|---|
The metadata for an object, including the object type name and the URL reference to the object. | |
Field | Description |
@href | The URL reference to the object. |
type | The name of the object type |
POST https://164.99.19.131:8443/SentinelRESTServices/objects/event-search
{ "InitiatingHostName":"jdoe_desktop.company.com", "pgsize":125, "last-accessed":"2012-04-25T13:33:44.561Z", "job-start":"2012-04-25T13:33:44.561Z", "type":"USER", "ip":"10.0.0.23", "aggregate-obj":{ "@href":"Wildebeest" }, "results":{ "@href":"https://164.99.19.131:8443/SentinelRESTServices/objects/event?query=_jobid_.eWildebeest&page=1&pagesize=125&field=dt&field=evt" }, "start":"2012-04-25T13:33:44.561Z", "max-results":42, "job-end":"2012-04-25T13:33:44.561Z", "init-user":"jdoe", "filter":"sev:4", "end":"2012-04-25T13:33:44.561Z", "fields":[ "dt", "evt" ] }
Location:https://164.99.19.131:8443/SentinelRESTServices/objects/event-search/Wildebeest
{ "meta":{ "type":"event-search", "@href":"https://164.99.19.131:8443/SentinelRESTServices/objects/event-search/Wildebeest" } }