Get XQL Query Results Stream

Retrieve XQL query results with more than 1000 results.

Synopsis

URI
public_api/v1/xql/get_query_results_stream/
HTTP Method
POST
Required License
Cortex XDR Pro per Endpoint or Cortex XDR Pro per TB or

Description

Retrieve XQL query results with more than 1000 results.
Response is returned as chunked (Transfer-Encoding:
chunked
). To retrieve a compressed gzipped response (Content-Encoding:
gzip
), in your header add
Accept-Encoding: gzip
.

Request Fields

The body of this request contains a JSON object with the following fields:
Field
Description
request_data
(
Required
) A dictionary containing the API request fields.
stream_id
(
Required
) Integer representing the unique ID generate by the response to
Get XQL Query Results
API.
Request Examples
curl -X POST https://api-{fqdn}/public_api/v1/xql/get_query_results_stream/ \ -H "x-xdr-auth-id:{key_id}" \ -H "Authorization:{key}" \ -H "Content-Type:application/json" \ -d '{ "request_data": { "stream_id": "563c5e24-===-9a1f8139d3c5", "is_gzip_compressed": true } }'

Success Response

Upon success, the following response is displayed.
  • When exporting results in JSON, returned format is NEWLINE-SEPARATED JSONS, and not a single JSON object. You need to decode each line separately.
  • When exporting results in JSON, only non-null fields are be returned. If a strict schema is needed, use CSV format instead that returns null fields.
Success Response Example
JSON format, raw
Connection: close Content-Disposition: attachment; filename=results.json Content-Type: application/octet-stream Date: Wed, 19 May 2021 14:49:21 GMT Server: Waitress Transfer-Encoding: chunked D1\r\n {"event_id":"eventID","insert_timestamp":"2021-05-18 14:24:51.681 UTC","_time":"2021-05-18 09:59:28 UTC","_vendor":"PANW","_product":"Fusion","event_type":"STORY","event_sub_type":"NULL"}\n \r\n D1\r\n {"event_id":"eventID","insert_timestamp":"2021-05-18 14:24:34.779 UTC","_time":"2021-05-18 09:59:28 UTC","_vendor":"PANW","_product":"Fusion","event_type":"STORY","event_sub_type":"NULL"}\n \r\n D1\r\n {"event_id":"eventID","insert_timestamp":"2021-05-18 14:24:49.664 UTC","_time":"2021-05-18 09:59:28 UTC","_vendor":"PANW","_product":"Fusion","event_type":"STORY","event_sub_type":"NULL"}\n \r\n 0\r\n \r\n
JSON format, GZIP compressed
Connection: close Content-Disposition: attachment; filename=results.json Content-Type: application/octet-stream Date: Mon, 10 May 2021 09:11:23 GMT Server: Waitress Transfer-Encoding: chunked A\r\n ...binary_data... \r\n

Error Response

Upon error, the reply includes an HTTP response code, an error message, and additional information describing the error. The HTTP response code is one of the following:
Field
Description
400
Bad Request. Got an invalid JSON.
401
Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.
402
Unauthorized access. User does not have the required license type to run this API.
403
Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.
500
Internal server error. A unified status for API communication type errors.
Error Response Format
{"reply": {"err_code": STATUS_CODE, "err_msg": GENERAL_MESSAGE, "err_extra": EXTRA_DATA}}

Recommended For You