Query API requests

Query API requests

Overview

Check the list of available endpoints and methods to work with the Query API:

Endpoints and methods

Description

Endpoints and methods

Description

POST/query

Run a query.

GET/table/{tableName}

Get information about a table, including the data types.

Endpoints and methods

POST/query

Use this endpoint tu run a query through the API.

 

Request

Request body

The request JSON body must include an object with the following key-value pairs.

Parameter

Type

Description

Parameter

Type

Description

query

string

This is the query that you want to run, expressed in LINQ. To find the query's LINQ script in the Devo app, open the query in the Data search area, then choose Query code editorfrom the toolbar.

The body of the request must contain either the query or the queryId parameter.

queryId

string

This is the ID of the query that you want to run. To find the query ID, open the query in the Data search area, then open the search window menu and select Current query Get ID.

The body of the request must contain either the query or the queryId parameter.

from required

integer

The start date as a UTC timestamp in seconds. See the Relative dates section below to learn more about this parameter.

to

integer

The end date as a UTC timestamp in seconds. If this parameter is left out, the query will be continuous. See the Relative dates section below to learn more about this parameter.

mode

object

This object contains the type parameter (string) to specify the format of the response. If left out of the request body, the default response type json will be used.

The possible values are:

  • json

  • json/compact

  • json/simple

  • json/simple/compact

  • msgpack

  • csv

  • tsv

  • xls

  • avro

These response formats are fully described later in this article. When you indicate a response format other than json, you must include the dateFormat and timeZone parameters.

destination

object

This object specifies where the response should be sent. If this object is left out of the request body, the response will be sent back to the request source.

It must include the following parameters:

  • type - (string) This is the type of system to which the response should be sent. The possible values are:

    • hdfs

    • s3

    • email

    • snmp

    • kafka

Depending on the type, additional parameters will be required. See the related HDFS, S3, email, SNMPand Kafka articles.

  • params - (string) Destination parameters, depend on the type selected. Check theHDFS, Kafka,S3, email and SNMParticles to see the parameters required for each destination.

dateFormat

string

This is only required when you specify a type other than json. The possible formats are:

  • default - yyyy-MM-dd' 'HH:mm:ss.SSS

  • sql - yyyy-MM-dd' 'HH:mm:ss.SSS

  • iso - yyyy-MM-dd'T'HH:mm:ss.SSSXX

timeZone

string

Change the timezone of the query, only for mode types other than json. This parameter supports any positive or negative GMT timezones, like GMT-2 or GMT+1

timeUnit

string

When from or to params are timestamps, you can use this parameter to specify the time unit. Only MILLISECONDS or SECONDS are valid values.

skip/offset

integer

You can use either the skip or offset parameters to skip the first X elements of the query.

limit

integer

Limit the results of the query. The query will stop after returning the first X elements of the query or reaching its end.

ipAsString

boolean

Set this parameter to true if you want to get IP addresses as dotted strings (for example, 94.2.23.1). If you don't add this parameter in your request or set it to false, IP addresses will be returned as numbers(for example,1577195265).

vaultName

string

Query priority. Allowed values are:

  • low

  • normal

  • high

  • urgent

progressInfo

boolean

Set this parameter to true if you want to get progress info about the requested query. You will get an entry p with the timestamp of the event that is being processed at that moment.Progress info will be sent at most once every 5s.

This is only available if you settype as json/simple/compact.See an example below.

allowPartialResults

boolean

Specifies whether partial results are allowed or not (true by default). If partial results are not allowed, the query will be interrupted every time some results are missing due to a failure.

keepAlive

object

Object with information about the keep alive message for CSV, TSV and XLS modes. If not provided, live queries aren't accepted for the mentioned modes. Note that this object doesn't apply to any json mode.

This object must contain the following parameters:

  • type - (string) Allowed values are:

    • empty - An empty event will be sent as a keep alive message.

    • token - A configurable token set in the parameter explained below will be sent as a keep alive message.

  • token - (string) Configurable token to be sent as a keep alive message for the token type. The default value is \n

Examples:

"keepAlive": { "type":"empty" }
"keepAlive": { "type":"token", "token":"myToken" }

timeRangeFilter

object

Add this object to use time control in your query. Time control allows you to choose either the event date (time when Devo receives the data) or creation date (time when the events are generated in its source) as reference time when you query data.

Check this article to learn more about time control and how to use it in the Devo app.

This object may include the following parameters:

  • by - (string) Choose the reference time to be used in your query. Allowed values are eventdate and creationdate. Default value is eventdate.

  • allowedLateness - (string) This option can only be used if you enter creationdate in the by parameter above. Enter the maximum expected delay between the creation date and the ingestion date of the table queried. It admits duration type expressions (1h, 1d, etc). Default value is now.

Setting a reception delay using the allowedLateness parameter allows the system to increase performance as it only looks for the corresponding events.

Example

curl --location 'https://apiv2-us.devo.com/search/query' \ --header 'Content-Type: application/json' \ --header 'Authorization: Bearer 2e672c8182f67a3bc6cd7a6815864589' \ --data '{ "query": "from siem.logtrust.web.activity", "limit": 30, "from": "1s", "keepAlive": { "type":"empty" } }'

 

 

 

The following are examples of responses:

{ "query": "from demo.ecommerce.data select *", "from": 1519645036, "to": 1519645136, "mode": { "type": "json" }, "destination": { "type": "hdfs", "params": { "param1": "value1", "param1": "value2" } } }
{ "from": 1519989362, "mode": { "type": "json/simple" }, "query": "from my.synthesis.vec00.suricataalert group every 30s every 30s select *", "to": 1519989392 }
{ "query": "from demo.ecommerce.data select *", "limit": 10, "from": 1528306922, "to": 1528306952, "mode": { "type": "tsv" } }

GET/table/{tableName}

Get information about a table, including data types.

 

Request

Path parameters

Add the following path parameters as part of the endpoint:

Parameter

Type

Description

Parameter

Type

Description

tableName required

string

A Devo table, such as siem.logtrust.collector.counter.

Request example with curl, using jsonlint to add whitespace:

url="https://apiv2-us.devo.com/search/table/my.synthesis.example.customtable" curl -s -S -H "Content-Type: application/json" -H "Authorization: Bearer $token" $url | jsonlint

 

Response

Code

Description

Code

Description

200

Successful response.

{ "cid": "4d9e71cbc840", "msg": "", "object": [ { "fieldName": "eventdate", "type": "timestamp" }, { "fieldName": "example_field_str", "type": "str" }, { "fieldName": "example_field_int", "type": "int8" }, { "fieldName": "example_field_json", "type": "json" }, { "fieldName": "example_field_ip4", "type": "ip4" } ], "status": 0, "timestamp": 1741291334113 }

4xx

Bad request.

{ "timestamp": 1741293602208, "cid": "6acc31e8644c", "msg": "Access not allowed for table 'my.synthesis.incorrect.table'", "status": 403 }

 

The Access not allowed message will occur for tokens with scope *.** admin if the table does not exist. If a token has limited scope, the message could indicate that the table is outside the scope, or that it does not exist.

Relative time-ranges

The Query API supports the same date language for relative days as the one used in the Data Search section. Devo encourage to use relative date language to perform Query API requests.

Deprecated date language expressions

A relative date range is a period of time that is relative to the current date (last week, last month, etc). You can add different operators to thefromandtoparameters of your query request to indicate specific time ranges.Note that the date you enter in thetoparameter must always be greater than or equal to thefromdate.

For all the examples that don't use a timestamp to specify a date, weassume that the moment of execution is08-10-2018, 14:33:12 UTC.

 Dates

Operator

Description

Operator

Description

today

Get the current day at 00:00:00. Note that the timeZone parameter affects the date settings.

  • from: today
    This sets the starting date to 08-10-2018, 00:00:00 UTC

  • to: today
    This sets the ending date to 08-10-2018, 00:00:00 UTC

  • from: today
    timeZone: GMT+2
    This sets the starting date to 08-10-2018, 00:00:00 GMT+2 (07-10-2018, 22:00:00 UTC)

  • to: today
    timeZone: GMT+2
    This sets the ending date to 08-10-2018, 00:00:00 GMT+2 (07-10-2018, 22:00:00 UTC)

now

Get the current day and time

  • from: now
    This sets the starting date to 08-10-2018, 14:33:12 UTC

  • to: now
    This sets the ending date to 08-10-2018, 14:33:12 UTC

endday

If you use this in the from field you will get the current day and the last second of the day. If you use it in the to field you will get the from date and the last second of that day. Note that the timeZone parameter affects the date settings.

  • from: endday
    This sets the starting date to 08-10-2018, 23:59:59 UTC

  • from: 1515500531 (this timestamp corresponds to 01/09/2018 12:22:11 UTC)
    to: endday
    This sets the ending date to 01-09-2018, 23:59:59 UTC
    .

  • from: endday
    timeZone: GMT+2
    This sets the ending date to 08-10-2018, 23:59:59 GMT+2 (08-10-2018, 21:59:59 UTC)

  • from: 1515493331 (this timestamp corresponds to 01/09/2018, 12:22:11 GMT+2)
    to: endday
    timeZone: GMT+2
    This sets the ending date to 01-09-2018 23:59:59 GMT+2 (01-09-2018, 21:59:59 UTC)

  • from: 1515452400 (this timestamp corresponds to 01/09/2018, 01:00:00 GMT+2)
    to: endday
    timeZone: GMT+2
    This sets the ending date to 01-09-2018 23:59:59 GMT+2 (01-09-2018, 21:59:59 UTC)

endmonth

If you use this in thefromfield you will get the last day of the current month and the last second of that day. If you use it in thetofield, you will get last day of the month indicated in thedatefield and the last second of that day. Note that the timeZone parameter affects the date settings.

  • from: endmonth
    This sets the starting date to 31-10-2018, 23:59:59 UTC

  • to: endmonth
    This sets the ending date to 30-09-2018, 23:59:59 UTC
    .

  • from: 1536150131 (this timestamp corresponds to 05/09/2018, 12:22:11 UTC)
    to: endmonth
    This sets the ending date to 30-09-2018, 23:59:59 UTC

  • from: 1536142931 (this timestamp corresponds to 05/09/2018, 12:22:11 GMT+2)
    to: endmonth
    timeZone: GMT+2
    This sets the ending date to 30-09-2018 23:59:59 GMT+2 (30-09-2018, 21:59:59 UTC)

 

Days

Operator

Description

Operator

Description

d

Enter a number followed by d in the from parameter to substract N days from the current date. If you use it in thetofield you will get the from date plus the indicated number of days.

  • from: 2d
    This sets the starting date to 06-10-2018, 14:33:12 UTC

  • from: 1536150131 (this timestamp corresponds to 05-09-2018, 12:22:11 UTC)
    to: 2d
    This sets the ending date to 07-09-2018, 12:22:11 UTC

     

  • from: 5d
    to: 2d
    This sets the starting date to 03-10-2018, 14:33:12 UTC and the ending date to 05-10-2018, 14:33:12 UTC

ad

Enter a number followed by ad in the from parameter to subtract N days from the current date and set time to 00:00:00. If you use it in thetofield you will get the from date plus the indicated number of days and set time to 00:00:00. Note that the timeZone parameter affects the date settings.

  • from: 2ad
    This sets the starting date to 06-10-2018, 00:00:00 UTC

  • from: 1536150131 (this timestamp corresponds to 05-09-2018, 12:22:11 UTC)

    to: 2ad
    This sets the ending date to 07-09-2018, 00:00:00 UTC

     

  • from:5ad
    to: 2ad
    This sets the starting date to 03-10-2018, 00:00:00 UTC and the ending date to 05-10-2018, 00:00:00 UTC

     

  • from: 1536142931 (this timestamp corresponds to 05/09/2018, 12:22:11 GMT+2)
    to: 2ad
    timeZone: GMT+2
    This sets the ending date to 07-09-2018, 00:00:00 GMT+2 (06-09-2018, 22:00:00 UTC)

  • from: 5ad
    to: 2ad
    timeZone: GMT+2
    This sets the starting date to 03-10-2018, 00:00:00 GMT+2 (02-10-2018, 22:00:00 UTC), and the ending date to 05-10-2018, 00:00:00 GMT+2 (04-10-2018, 22:00:00 UTC)

 

Hours

Operator

Description

Operator

Description

h

Enter a number followed by h in the from parameter to subtract N hours from the current time. If you use it in thetofield you will get the from time plus the indicated number of hours.

  • from: 2h
    This sets the starting date to 08-10-2018, 12:33:12 UTC

  • from: 16h
    This sets the starting date to 07-10-2018, 22:33:12 UTC

  • from: 1536150131 (this timestamp corresponds to 05/09/2018, 12:22:11 UTC)

    to: 2h
    This sets the ending date to 05-09-2018, 14:22:11 UTC

  • from: 5h

    to: 2h
    This sets the starting date to 08-10-2018, 09:33:12 UTC and the ending date to 08-10-2018, 11:33:12 UTC

ah

Enter a number followed by ah in the from parameter to subtract N hours from the current date at 00:00:00. If you use it in thetofield you will add the indicated number of hours to the from date at 00:00:00. Note that the timeZone parameter affects the date settings.

  • from: 2ah
    This sets the starting date to 07-10-2018, 22:00:00 UTC

  • from: 2ah
    timeZone: GMT+2
    This sets the starting date to 07-10-2018, 22:00:00 GMT+2 (07-10-2018, 20:00:00 UTC)

     

  • from: 1536114131 (this timestamp corresponds to 05-09-2018, 02:22:11 UTC)
    to: 12ah
    This sets the ending date to 05-09-2018, 12:00:00 UTC

  • from: 1536106931 (this timestamp corresponds to 05-09-2018, 02:22:11 GMT+2)
    to: 12ah
    timeZone: GMT+2
    This sets the ending date to 05-09-2018, 12:00:00 GMT+2 (05-09-2018, 10:00:00 UTC)

    .

  • from: 5ah
    to: 21ah
    This sets the starting date to 07-10-2018, 19:00:00 UTC and the ending date to 07-10-2018, 21:00:00 UTC

Query response formats

Responses to your queries can be either returned to the source of the request, forwarded to an HDFS,S3, SNMP, or Kafka type system, or sent via email.

Given the different possible destinations for query responses, you can also specify the format in which you want the response to be sent. This is specified in themode.typeparameterof the request body. The available response formats are:

 

Response type JSON

This is the default response format. This means that if you leave out themodeobject from the request body, the response will automatically be returned in this format.

So, to receive responses in JSON format, you can either leave themodeobject out of the request or you can specify it like this:

"mode": { "type":"json" }

The JSON response will include the following fields:

Field name

Type

Description

Field name

Type

Description

msg/error

string

This describes the error in the case that the request was not successful. This field will be named msg or error depending on the type of error returned.

The corresponding error code will be shown in the status field. Check the possible codes and corresponding messages below.

status

integer

Numeric value that specifies the error code.

When it shows 0, it means no error occurred.

These are the possible error codes that you may get. The corresponding error descriptions will be displayed in the msg/error field.

  • 400

  • 401

  • 403

  • 404

  • 500

object

object

The content of object varies based on the querys outcome:

  • For a successful query: The query result is returned.

  • In case of an error: The error details are returned.

See examples below.

cid

string

An ID value to uniquely identify yourself across multiple systems.

timestamp

string

Indicates the moment when a certain event occurred.

Examples

Here is a response in JSON format of a successful query.

{ "status": 0, "cid": "XXX", "timestamp": 1528308389081, "msg": "", "object": [ { "eventdate": "2016-10-24 06:35:00.000", "host": "aws-apiodata-euw1-52-49-216-97", "memory_heap_used": "3.049341704E9", "memory_non_heap_used": "1.21090632E8" }, { "eventdate": "2016-10-24 06:36:00.000", "host": "aws-apiodata-euw1-52-49-216-97", "memory_heap_used": "3.04991028E9", "memory_non_heap_used": "1.21090632E8" }, … }

Example when error code 400 (client error):

{ "timestamp": 1732648392046, "cid": "XXX", "error": "Bad parameters", "status": 400, "object": [ "405 : Date from not valid or not found" ] }

Example when error code 500 (server error):

{ "timestamp": 1732647846299, "cid": "XXX", "msg": "Error Launching Query", "status": 500, "object": [ "Error Launching Query", "Unknown identifier `machine`", "1101001", "QUERY_PARSING_ERROR", "NO" ] }
  • object positions

    • [0] is the error message

    • [1] is the user error message

    • [2] is the internal error code See Search monitoring (error codes) | Code errors for more details.

    • [3] is the error name

    • [4] indicates if:

      • YES the query is recoverable. The query is fine, but there is a temporary problem for retrieving the results.

      • NO the query is not recoverable. There is a data problem that should be solved.

 

Response type JSON/compact

To receive responses in JSON/compact format, specify themodeobject in your request like this:

"mode": { "type":"json/compact" }

The JSON/compact response will include the following fields:

  • Themobject lists the fields included in each query result along with theirtypeandindexmetadata.

Field name

Description

Field name

Description

type

The datatype of the value returned. This will be one of:

  • timestamp - epoch value in milliseconds

  • str - string

  • int8 - 8-byte integer

  • int4 - 4-byte integer

  • bool - boolean

  • float8 - 8-byte floating point

index

An integer value that indicates the position of the field's value in the arrays returned in the object.d object.

  • The metadata object gives information about the fields as an array, and includes the following fields:

Field name

Description

Field name

Description

name

Name of the field.

type

The datatype of the value returned. This will be one of:

  • timestamp - epoch value in milliseconds

  • str - string

  • int8 - 8-byte integer

  • int4 - 4-byte integer

  • bool - boolean

  • float8 - 8-byte floating point

  • The object d includes lightweight event info.

Example

Here is an example of a response in JSON/compact format that occurred without error:

{ "m": { "eventdate": { "type": "timestamp", "index": 0 }, "level": { "type": "str", "index": 1 }, "srcPort": { "type": "int4", "index": 2 } }, "metadata": [ { "name": "eventdate", "type": "timestamp" }, { "name": "level", "type": "str" }, { "name": "srcPort", "type": "int4" } ], "d": [ [ 1519989828006, "INFO", 51870 ], [ 1519989828392, "INFO", 51868 ], [ 1519989830837, "INFO", 55514 ] ] }

 

Response type JSON/simple

To receive responses in JSON/simple format, specify the mode object in your request like this:

"mode": { "type":"json/simple" }

The response is a stream of JSON objects of the values that the query generates with the structure below.When the query does not generate more information, the connection is closed by the server. In case no dateto value is requested, the connections are kept alive.

Example

{"eventdate":1488369600000,"domain":"none","userEmail":"","country":null,"count":3} {"eventdate":1488369600000,"domain":"user1@devo.com","userEmail":"0:0:0:0:0:0:0:1","country":null,"count":18} {"eventdate":1488369600000,"domain":"none","userEmail":"user2@devo.com","country":null,"count":7} {"eventdate":1488373200000,"domain":"user3@devo.com","userEmail":"127.0.0.1","country":null,"count":10} {"eventdate":1488373200000,"domain":"user4@devo.com","userEmail":"0:0:0:0:0:0:0:1","country":null,"count":28} {"eventdate":1488373200000,"domain":"dom","userEmail":"user5@devo.com","country":null,"count":15} ...

 

Responsetype JSON/simple/compact

To receive responses in JSON/simple/compact format, specify the mode object in your request like this:

"mode": { "type":"json/simple/compact" }

The response is a stream of JSON objects with the following structure:

  • The m object lists the fields included in each query result along with their type and index metadata.

Field name

Description

Field name

Description

type

The datatype of the value returned. This will be one of:

  • timestamp - epoch value in milliseconds

  • str - string

  • int8 - 8-byte integer

  • int4 - 4-byte integer

  • bool - boolean

  • float8 - 8-byte floating point

index

An integer value that indicates the position of the field's value in the arrays returned in the object.d object.

  • The metadata object gives information about the fields as an array, and includes the following fields:

Field name

Description

Field name

Description

name

Name of the field.

type

The datatype of the value returned. This will be one of:

  • timestamp - epoch value in milliseconds

  • str - string

  • int8 - 8-byte integer

  • int4 - 4-byte integer

  • bool - boolean

  • float8 - 8-byte floating point

  • The object d includes the array of values with the returned events data. Every row is a valid JSON object.

When the query does not generate more information, the connection is closed by the server. In case no dateto valueis requested, the connections are kept alive.

Progress data in timestamp

You can receive a timestamp indicating the progress data as an entryp in your response, if the progressInfo parameter is set to true in the request.

Example

{ "m":{ "eventdate":{ "type":"timestamp", "index":0 }, "level":{ "type":"str", "index":1 }, "srcPort":{ "type":"int4", "index":2 } }, "metadata":[ { "name": "eventdate", "type": "timestamp" }, { "name": "level", "type": "str" }, { "name": "srcPort", "type": "int4" } ] } { "d":[ 1519989516834, "INFO", 49756 ] } { "d":[ 1519989516874, "INFO", 51472 ] } { "d":[ 1519989517774, "INFO", 49108 ] } { "p":[ 1519989537574 ] } {"d":[ 1519989538794, "INFO", 49108 ] }

 

Response type MsgPack

To receive responses in MsgPack format, specify the mode object in your request like this:

"mode": { "type":"msgpack" }

The response format is the same as a JSON object, but encoded using MsgPack, an efficient binary serialization format. See the msgpack website for more information.

 

Response type CSV

To receive responses in CSV format, specify the mode object in your request like this:

"mode": { "type":"csv" }

The system will return the information in CSV (Comma Separated Values) format. The following is a simple example of a CSV response.

Example

eventdate,domain,userEmail,country,count
2017-03-01 12:00:00.000,none,,,3
2017-03-01 12:00:00.000,user1@devo.com,0:0:0:0:0:0:0:1,,18
2017-03-01 12:00:00.000,none,user2@devo.com,,7
2017-03-01 13:00:00.000,user3@devo.com,127.0.0.1,,10
2017-03-01 13:00:00.000,user4@devo.com,0:0:0:0:0:0:0:1,,28
2017-03-01 13:00:00.000,dom,user5@devo.com,,15

eventdate,domain,userEmail,country,count
2017-03-01 12:00:00.000,none,,,3
2017-03-01 12:00:00.000,user1@devo.com,0:0:0:0:0:0:0:1,,18
2017-03-01 12:00:00.000,none,user2@devo.com,,7
2017-03-01 13:00:00.000,user3@devo.com,127.0.0.1,,10
2017-03-01 13:00:00.000,user4@devo.com,0:0:0:0:0:0:0:1,,28
2017-03-01 13:00:00.000,dom,user5@devo.com,,15

 

Response typeTSV

To receive responses in TSV format, specify the mode object in your request like this:

"mode": { "type":"tsv" }

The system will return the information in CSV (Comma Separated Values) format. The following is a simple example of a TSV response.

Example

eventdate domain userEmail country count
2017-03-01 12:00:00.000 none 3
2017-03-01 12:00:00.000 user1@devo.com 0:0:0:0:0:0:0:1 18
2017-03-01 12:00:00.000 none user2@devo.com 7
2017-03-01 13:00:00.000 user3@devo.com 127.0.0.1 10
2017-03-01 13:00:00.000 user4@devo.com 0:0:0:0:0:0:0:1 28
2017-03-01 13:00:00.000 dom user5@devo.com 15

eventdate domain userEmail country count
2017-03-01 12:00:00.000 none 3
2017-03-01 12:00:00.000 user1@devo.com 0:0:0:0:0:0:0:1 18
2017-03-01 12:00:00.000 none user2@devo.com 7
2017-03-01 13:00:00.000 user3@devo.com 127.0.0.1 10
2017-03-01 13:00:00.000 user4@devo.com 0:0:0:0:0:0:0:1 28
2017-03-01 13:00:00.000 dom user5@devo.com 15

 

Response type Excel

To receive responses in XLS format, specify the mode object in your request like this:

"mode": { "type":"xls" }

The system sends the query results in a Microsoft Excel format file.

 

Response type Avro

To receive responses in XLS format, specify the mode object in your request like this:

"mode": { "type":"avro" }

The system sends the query results in Avro binary format. Avro is used with Hadoop or Kafka.

Example Request

api="https://apiv2-us.devo.com/search/query" query="from siem.logtrust.collector.counter select tag limit 1" curl -s -S -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $token" \ -d '{"query": "'"$query"'", "from": "now()@1d", "to": "now()", "mode":{"type":"avro"}}' $api --output -

Example Response

The response is in binary format.

Objavro.schema?{"type":"record","name":"QueryAvroResponse","fields":[{"name":"tag","type":["null","string"],"default":null}]}|+??e<~z$??t?B>siem.logtrust.collector.counter|+??e<~z$??t?eu