/
Query API requests
Document toolboxDocument toolbox

Query API requests

Owned by Former user (Deleted)
Last updated: Mar 07, 2025 by Laszlo Frazer
15 min read
[ 1 Overview ] [ 2 Endpoints and methods ] [ 3 Relative time-ranges ] [ 4 Query response formats ]

Overview

Check the list of available endpoints and methods to work with the Query API:

Endpoints and methods

Description

Endpoints and methods

Description

status:POST /query

Run a query.

status:GET /table/{tableName}

Get information about a table, including the data types.

Endpoints and methods

POST /query

Use this endpoint tu run a query through the API.

GET /table/{tableName}

Get information about a table, including data types.

Path parameters

Add the following path parameters as part of the endpoint:

Parameter

Type

Description

Parameter

Type

Description

tableName required

string

A Devo table, such as siem.logtrust.collector.counter.

Request example with curl, using jsonlint to add whitespace:

url="https://apiv2-us.devo.com/search/table/my.synthesis.example.customtable" curl -s -S -H "Content-Type: application/json" -H "Authorization: Bearer $token" $url | jsonlint

Code

Description

Code

Description

200

Successful response.

{ "cid": "4d9e71cbc840", "msg": "", "object": [ { "fieldName": "eventdate", "type": "timestamp" }, { "fieldName": "example_field_str", "type": "str" }, { "fieldName": "example_field_int", "type": "int8" }, { "fieldName": "example_field_json", "type": "json" }, { "fieldName": "example_field_ip4", "type": "ip4" } ], "status": 0, "timestamp": 1741291334113 }

4xx

Bad request.

{ "timestamp": 1741293602208, "cid": "6acc31e8644c", "msg": "Access not allowed for table 'my.synthesis.incorrect.table'", "status": 403 }

 

The “Access not allowed” message will occur for tokens with scope *.** admin if the table does not exist. If a token has limited scope, the message could indicate that the table is outside the scope, or that it does not exist.

Relative time-ranges

The Query API supports the same language for relative days as the one used in the Data Search section.

Let's suppose the current time (which we refer to as "now()") is Wednesday, 05 February 2025, 13:37:05. The table below shows the resulting time when different expressions are applied.

Time expression

Description

Resulting time

Time expression

Description

Resulting time

now() - 60m

60 minutes ago

Wednesday, 05 February 2025, 12:37:05

now() @ 1h

Now (rounded to the beginning of the hour)

Wednesday, 05 February 2025, 13:00:00

now() - 24h

24 hours ago

Tuesday, 04 February 2025, 13:37:05

(now() - 1d) @ 1d

Yesterday (rounded to the beginning of the day)

Tuesday, 04 February 2025, 00:00:00

(now() - 2d) @ 1d

2 days ago (rounded to the beginning of the day)

Monday, 03 February 2025, 00:00:00

(now() - 2d) @ 1m

2 days ago (rounded to the beginning of the minute)

Monday, 03 February 2025, 13:37:00

((now() - 2d) @ 1d) - 2h

2 days ago (rounded to the beginning of the day minus 2 hours)

Sunday, 02 February 2025, 22:00:00

now() @ 1w

Locale week

Wednesday, 05 February 2025, 00:00:00

now() @ 1W

ISO week

Thursday, 30 January 2025, 00:00:00

now() ^ 6d

Replace the day with 6

Thursday, 06 February 2025, 13:37:05

now() ^ 2025y3M6d15h30m20s

 

Thursday, 06 March 2025, 15:30:20

 Deprecated date language expressions

A relative date range is a period of time that is relative to the current date (last week, last month, etc). You can add different operators to the from and to parameters of your query request to indicate specific time ranges. Note that the date you enter in the to parameter must always be greater than or equal to the from date.

For all the examples that don't use a timestamp to specify a date, we assume that the moment of execution is 08-10-2018, 14:33:12 UTC.

Query response formats

Responses to your queries can be either returned to the source of the request, forwarded to an HDFSS3, SNMP, or Kafka type system, or sent via email.

Given the different possible destinations for query responses, you can also specify the format in which you want the response to be sent. This is specified in the mode.type parameter of the request body. The available response formats are:

 

Related content