Documentation is now available for the Fall 2020 Update release!

Search alert occurrences

This endpoint retrieves the occurrences of an alert based on the alert-triggered time.

Leave Feedback

URL

GET https://{api-url}/api/v2/tenants/{tenantId}/alerts/{alertId}/occurrences

Sample URLs

https://<api-url>/api/v2/tenants/client_7/alerts/175/occurrences
https://<api-url>/api/v2/tenants/client_7/alerts/175/occurrences?pageSize=100&queryString=startTime:2016-01-01T00:00:00 0000+endTime:2017-12-31T00:00:00 0000

Parameters

All parameters are optional:

FieldDefault Value
pageSize={pageSize}100
queryString={queryString}NA

NA indicates that the value is not applicable.

Query variables

Query VariableDescription
startTimeSearch for an alert triggered within a specific duration where startTime represents the from date.
endTimeSearch for an alert triggered within a specific duration where endTime represents the to date.

The process for pagination

The API provides the results in descending order of alert-triggered date. The latest alert appears first based on the alert-triggered time. The process for handling any number of occurrences include the following:

  1. Get all occurrences of an alert.
  2. Get alert occurrences of an alert that is triggered within a specific duration.
  3. Traverse through each page of occurrences.

Get All occurrences of an alert

To fetch all alert occurrences irrespective of the alert-triggered time, provide the URI:

/tenants/{tenantId}/alerts/{alertId}/occurrences

Get Alert occurrences of an alert that is triggered within a specific duration

To fetch raw alerts triggered within a specific duration, provide the start time and end time. To fetch raw alerts triggered between January 13th 2017 to February 13th 2017, provide the startTime of 2017-01-13T00:00:00 0000 and an endTime of 2016-02-13T00:00:00 0000. This is the URI for that request:

/tenants/{tenantId}/alerts/{alertId}/occurrences?queryString=startTime:2017-01-13T00:00:00 0000+endTime:2017-02-13T00:00:00 0000

Traverse through each page of occurrences

There is a limit of 100 results per page. If an alert has 120 occurrences, the latest 100 results will appear in the first page. To traverse to the second page, use the endDate from the first page and provide it as the endTime in the query string. The second page will return the remaining 20 alerts.

Use these fields when traversing through additional pages as long as nextPage: true:

FieldDescription
resultsList of raw alerts data.
pageSizeThe page size that represents the total number of results to display on the page. The default page size is 100.
nextPageThis flag helps determine when the search is complete. If nextPage: false, the search is done. to traverse through the rest of the pages.
descendingOrderAlerts appear in a descending order. The latest triggered alert appears on the top.
startDateIndicates the alert-triggered time of the first result on the page.
endDateIndicates the alert-triggered time of the last result on the page. To traverse through the other pages, provide endDate from previous page and provide it as endTime in queryString.

Sample response

{   
   "results":   
     [  
      {   
        "uniqueId": "7",   
        "subject": "Event Source : McLogEvent / Id : 257",  
        "description": "Source : McLogEvent  
         Event ID : 257  
         Event Description : The scan of D:\\setup\\Projects\\ITOM\\build\\war\\WEB-INF\\lib\\fastutil-6.5.7.jar has taken too long to complete and is being canceled.  Scan engine version used is 5900.7806 DAT version 8560.0000.
         Event Log Name : Application  
         Event Log Type : INFORMATION  
         Event Log Date Time : 06/16/2017 05:37:18.0",   
       "currentState": "Critical",   
       "createdTimeString": "2017-06-16T05:38:10+0000"   
      },   
      {   
        "uniqueId": "7",   
        "subject": "Event Source : McLogEvent / Id : 257",   
        "description": "Source : McLogEvent  
         Event ID : 257  
         Event Description : The scan of D:\\setup\\Projects\\CSGRID\\build\\server\\indexer\\lib\\aws-java-sdk-models-1.11.128.jar has taken too long to complete and is being canceled.  Scan engine version used is 5900.7806 DAT version 8560.0000.
         Event Log Name : Application  
         Event Log Type : INFORMATION  
         Event Log Date Time : 06/16/2017 05:32:01.0",   
       "currentState": "Critical",   
       "createdTimeString": "2017-06-16T05:32:12+0000"   
      },   
      {   
       "uniqueId": "7",   
       "subject": "Event Source : McLogEvent / Id : 257",   
       "description": "The following event has repeated 4  times in the last 4 minutes   
        Source : McLogEvent   
        Event ID : 257   
        Event Description : Blocked by port blocking rule (Anti-virus Standard Protection:Prevent mass mailing worms from sending mail).   
        Event Log Name : Application   
        Event Log Type : INFORMATION Event Log Date Time : 05/30/2017 06:00:03.0 ",     
      "currentState": "Critical",   
      "createdTimeString": "2017-05-30T06:03:50+0000"   
      },   
      {   
       "uniqueId": "7",   
       "subject": "Event Source : McLogEvent / Id : 257",   
       "description": "The following event has repeated 2  times in the last 2 minutes  
        Source : McLogEvent  
        Event ID : 257  
        Event Description : Blocked by port blocking rule (Anti-virus Standard Protection:Prevent mass mailing worms from sending mail).  
        Event Log Name : Application  
        Event Log Type : INFORMATION  
        Event Log Date Time : 05/29/2017 15:33:55.0",   
       "currentState": "Critical",   
       "createdTimeString": "2017-05-29T13:31:14+0000"   
      }   
 ],   
"pageSize": 100,   
"nextPage": true,   
"startDate": "2017-06-16T05:38:10+0000",   
"endDate": "2017-05-29T10:17:49+0000",   
"descendingOrder": true   
}