post
/evidence/search
Search for an evidence entutiy by filter
CURL
curl -X POST \
-H "Authorization: [[apiKey]]" \
-H "Accept: application/json" \
-H "Content-Type: application/json,application/xml" \
"https://hostname:443/evidence/search" \
-d '{
"filter" : {
"period" : {
"fromValue" : "fromValue",
"toValue" : "toValue",
"byFrom" : "byFrom",
"field" : "field",
"by" : "by",
"byTo" : "byTo"
},
"searchAfterMap" : {
"key" : [ "searchAfterMap", "searchAfterMap" ]
},
"searchAfterMapOrder" : {
"key" : 6
},
"ignoreWorkers" : true,
"query" : "query",
"searchBeforeElastic" : [ "searchBeforeElastic", "searchBeforeElastic" ],
"toDate" : "2000-01-23T04:56:07.000+00:00",
"trim_events" : 5,
"sort" : [ {
"asc" : true,
"field" : "field",
"fieldType" : "fieldType"
}, {
"asc" : true,
"field" : "field",
"fieldType" : "fieldType"
} ],
"filterobjectquery" : "filterobjectquery",
"timeFrame" : 5,
"fromDate" : "2000-01-23T04:56:07.000+00:00",
"fromDateLicense" : "2000-01-23T04:56:07.000+00:00",
"size" : 1,
"searchAfterElastic" : [ "searchAfterElastic", "searchAfterElastic" ],
"searchBefore" : [ "searchBefore", "searchBefore" ],
"searchAfter" : [ "searchAfter", "searchAfter" ],
"accounts" : {
"key" : "{}"
},
"page" : 0,
"fields" : [ "fields", "fields" ],
"Cache" : {
"key" : [ "Cache", "Cache" ]
}
},
"incidentID" : "incidentID"
}' \
-d '
UNDEFINED_EXAMPLE_VALUE
UNDEFINED_EXAMPLE_VALUE
aeiou
aeiou
2000-01-23T04:56:07.000Z
2000-01-23T04:56:07.000Z
true
123456789
aeiou
aeiou
aeiou
UNDEFINED_EXAMPLE_VALUE
UNDEFINED_EXAMPLE_VALUE
aeiou
aeiou
123456789
123456789
2000-01-23T04:56:07.000Z
123456789
aeiou
'
Request
Body
optional
filter
optional
GenericStringDateFilter is a general filter that will fetch entities using the Query value and a date filter
Cache
optional
Map
Cache of join functions
accounts
optional
Map
of objects
fields
optional
Array
of strings
filterobjectquery
optional
String
fromDate
optional
Object
format: date-time
fromDateLicense
optional
Object
format: date-time
ignoreWorkers
optional
Boolean
Do not use workers mechanism while searching bleve
page
optional
Number
(Long)
0-based page
format: int64
period
optional
by
optional
String
By is used for legacty, and if exists it will override ByTo and ByFrom
byFrom
optional
String
byTo
optional
String
field
optional
String
fromValue
optional
String
format: duration
toValue
optional
String
format: duration
query
optional
String
searchAfter
optional
Array
of strings
Efficient next page, pass max sort value from previous page
searchAfterElastic
optional
Array
of strings
Efficient next page, pass max ES sort value from previous page
searchAfterMap
optional
Map
Map accounts search after values - stores next page sort values per account.
There is no need to store searchBeforeMap as [current page searchBefore] equals to [prev page searchAfter]
More, there is no way to generate correct searchBefore from current page as some tenants may not appear at all.
The map is relevant in proxy mode and used by tenants, each tenant extracts the searchAfter keys from the map.
searchAfterMapOrder
optional
Map
of numbers
(Long)
format: int64
searchBefore
optional
Array
of strings
Efficient prev page, pass min sort value from next page
searchBeforeElastic
optional
Array
of strings
Efficient prev page, pass min ES sort value from next page
size
optional
Number
(Long)
Size is limited to 1000, if not passed it defaults to 0, and no results will return
format: int64
sort
optional
Array
The sort order
Order struct holds a sort field and the direction of sorting
asc
optional
Boolean
field
optional
String
fieldType
optional
String
timeFrame
optional
Number
(Long)
A Duration represents the elapsed time between two instants
as an int64 nanosecond count. The representation limits the
largest representable duration to approximately 290 years.
format: int64
toDate
optional
Object
format: date-time
trim_events
optional
Number
(Long)
format: int64
incidentID
optional
String
Responses