POST /ariel/searches

Create a new asynchronous Ariel search.

Creates a new Ariel search as specified by the Ariel Query Language (AQL) query expression. Searches are executed asynchronously. A reference to the search ID is returned and should be used in subsequent API calls to determine the status of the search and retrieve the results once it is complete.

This endpoint only accepts SELECT query expressions.

Queries are applied to the range of data in a certain time interval. By default this time interval is the last 60 seconds. An alternative time interval can be specified by specifying them as part of the query expression. For further information, see the AQL reference guide.

Table 1. POST /ariel/searches resource details
MIME Type
application/json

Table 2. POST /ariel/searches request parameter details
Parameter	Type	Optionality	Data Type	MIME Type	Description
query_expression	query	Optional	String	text/plain	Optional - The AQL query to execute. Mutually exclusive with saved_search_id
saved_search_id	query	Optional	Number (Integer)	text/plain	Optional - Saved search ID to execute. Mutually exclusive with queryExpression

Table 3. POST /ariel/searches response codes
HTTP Response Code	Unique Code	Description
201		A new Ariel search was successfully created.
404	1002	The Ariel saved search does not exist.
409	1004	The search cannot be created. The requested search ID that was provided in the query expression is already in use. Please use a unique search ID (or allow one to be generated).
422	2000	The query_expression contains invalid AQL syntax.
422	1005	A request parameter is not valid.
500	1020	An error occurred during the attempt to create a new search.
503	1010	The Ariel server might be temporarily unavailable or offline. Please try again later.

Response Description

Information about the specified search, including the search ID. Use the search ID to access or manipulate the search with the other API endpoints.

If the exact search being created was already recently created, the response message will return a reference to the original search ID rather than creating a new search.

Response Sample


{
  "cursor_id": "s16",
  "compressed_data_file_count": 0,
  "compressed_data_total_size": 0,
  "data_file_count": 5470,
  "data_total_size": 67183115,
  "index_file_count": 0,
  "index_total_size": 0,
  "processed_record_count": 1256462,
  "error_messages": [
    {
      "code": "String",
      "contexts": [
        "String"
      ],
      "message": "String",
      "severity": "String <one of: INFO, WARN, ERROR>"
    }
  ],
  "desired_retention_time_msec": 86400000,
  "progress": 46,
  "progress_details": [
    0,
    0,
    0,
    0,
    66957,
    652657,
    76594,
    89809,
    86032,
    107729
  ],
  "query_execution_time": 1480,
  "query_string": "SELECT sourceip, starttime, qid, sourceport  from events into s16 where sourceip in (select destinationip from events) parameters snapshotsize=2, PROGRESSDETAILSRESOLUTION=10",
  "record_count": 1240923,
  "save_results": false,
  "status": "String <one of: WAIT, EXECUTE, SORTING, COMPLETED, CANCELED, ERROR>",
  "snapshot": {
    "events": [
      {
        "sourceip": "10.100.65.20",
        "starttime": 1467049610018,
        "qid": 10034,
        "sourceport": 13675
      },
      {
        "sourceip": "10.100.100.121",
        "starttime": 1467049610019,
        "qid": 20034,
        "sourceport": 80
      }
    ]
  },
  "subsearch_ids": [
     "sub_id_1"
   ],
  "search_id": "s16"
}