URL
GET https://{api-url}/api/v2/tenants/{tenantId}/alerts/{alertId}/occurrencesSample URLs
https://{api-url}/api/v2/tenants/client_7/alerts/175/occurrenceshttps://{api-url}/api/v2/tenants/client_7/alerts/175/occurrences?pageSize=100&queryString=startTime:2016-01-01T00:00:00 0000+endTime:2017-12-31T00:00:00 0000Parameters
All parameters are optional:
| Field | Default Value |
|---|---|
| pageSize={pageSize} | 100 |
| queryString={queryString} | NA |
NA indicates that the value is not applicable.
Query variables
| Query Variable | Description |
|---|---|
| startTime | Search for an alert triggered within a specific duration where startTime represents the from date. |
| endTime | Search for an alert triggered within a specific duration where endTime represents the to date. |
Notes
There are special characters that can be used in a query string:
- (+) represents the next field and must be URL-encoded.
- (:) represents equals. An example is
key : value. - Space characters must be URLencoded.
- Date format must be yyyy-MM-ddTHH:mm:ssZ (GMT).
The process for pagination
The API provides the results in descending order of alert-triggered date. The latest alert appears first based on the alert-triggered time. The process for handling any number of occurrences include the following:
- Get all occurrences of an alert.
- Get alert occurrences of an alert that is triggered within a specific duration.
- Traverse through each page of occurrences.
Get All occurrences of an alert
To fetch all alert occurrences irrespective of the alert-triggered time, provide the URI:
/tenants/{tenantId}/alerts/{alertId}/occurrencesGet Alert occurrences of an alert that is triggered within a specific duration
To fetch raw alerts triggered within a specific duration, provide the start time and end time. To fetch raw alerts triggered between January 13th 2017 to February 13th 2017, provide the startTime of 2017-01-13T00:00:00 0000 and an endTime of 2016-02-13T00:00:00 0000. This is the URI for that request:
/tenants/{tenantId}/alerts/{alertId}/occurrences?queryString=startTime:2017-01-13T00:00:00 0000+endTime:2017-02-13T00:00:00 0000Traverse through each page of occurrences
There is a limit of 100 results per page. If an alert has 120 occurrences, the latest 100 results will appear in the first page. To traverse to the second page, use the endDate from the first page and provide it as the endTime in the query string. The second page will return the remaining 20 alerts.
Use these fields when traversing through additional pages as long as nextPage: true:
| Field | Description |
|---|---|
| results | List of raw alerts data. |
| pageSize | The page size that represents the total number of results to display on the page. The default page size is 100. |
| nextPage | This flag helps determine when the search is complete. If nextPage: false, the search is done. to traverse through the rest of the pages. |
| descendingOrder | Alerts appear in a descending order. The latest triggered alert appears on the top. |
| startDate | Indicates the alert-triggered time of the first result on the page. |
| endDate | Indicates the alert-triggered time of the last result on the page. To traverse through the other pages, provide endDate from previous page and provide it as endTime in queryString. |
Sample response
{
"results":
[
{
"uniqueId": "7",
"subject": "Event Source : McLogEvent / Id : 257",
"description": "Source : McLogEvent
Event ID : 257
Event Description : The scan of D:\\setup\\Projects\\ITOM\\build\\war\\WEB-INF\\lib\\fastutil-6.5.7.jar has taken too long to complete and is being canceled. Scan engine version used is 5900.7806 DAT version 8560.0000.
Event Log Name : Application
Event Log Type : INFORMATION
Event Log Date Time : 06/16/2017 05:37:18.0",
"currentState": "Critical",
"createdTimeString": "2017-06-16T05:38:10+0000"
},
{
"uniqueId": "7",
"subject": "Event Source : McLogEvent / Id : 257",
"description": "Source : McLogEvent
Event ID : 257
Event Description : The scan of D:\\setup\\Projects\\CSGRID\\build\\server\\indexer\\lib\\aws-java-sdk-models-1.11.128.jar has taken too long to complete and is being canceled. Scan engine version used is 5900.7806 DAT version 8560.0000.
Event Log Name : Application
Event Log Type : INFORMATION
Event Log Date Time : 06/16/2017 05:32:01.0",
"currentState": "Critical",
"createdTimeString": "2017-06-16T05:32:12+0000"
},
{
"uniqueId": "7",
"subject": "Event Source : McLogEvent / Id : 257",
"description": "The following event has repeated 4 times in the last 4 minutes
Source : McLogEvent
Event ID : 257
Event Description : Blocked by port blocking rule (Anti-virus Standard Protection:Prevent mass mailing worms from sending mail).
Event Log Name : Application
Event Log Type : INFORMATION Event Log Date Time : 05/30/2017 06:00:03.0 ",
"currentState": "Critical",
"createdTimeString": "2017-05-30T06:03:50+0000"
},
{
"uniqueId": "7",
"subject": "Event Source : McLogEvent / Id : 257",
"description": "The following event has repeated 2 times in the last 2 minutes
Source : McLogEvent
Event ID : 257
Event Description : Blocked by port blocking rule (Anti-virus Standard Protection:Prevent mass mailing worms from sending mail).
Event Log Name : Application
Event Log Type : INFORMATION
Event Log Date Time : 05/29/2017 15:33:55.0",
"currentState": "Critical",
"createdTimeString": "2017-05-29T13:31:14+0000"
}
],
"pageSize": 100,
"nextPage": true,
"startDate": "2017-06-16T05:38:10+0000",
"endDate": "2017-05-29T10:17:49+0000",
"descendingOrder": true
}