POST /config/event_sources/custom_properties/property_aql_expressions/{expression_id}

Updates a Custom Property AQL expression. Requires the System Administrator, Security Admin or User Defined Event Properties permission.

Updates a Custom Property AQL expression. Requires the System Administrator, Security Admin or User Defined Event Properties permission.

Table 1. POST /config/event_sources/custom_properties/property_aql_expressions/{expression_id} resource details
MIME Type

application/json

Table 2. POST /config/event_sources/custom_properties/property_aql_expressions/{expression_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description

expression_id

path

Required

String

text/plain

Required - The identifier of the AQL expression.

fields

header

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 3. POST /config/event_sources/custom_properties/property_aql_expressions/{expression_id} request body details
Parameter Data Type MIME Type Description Sample

data

Object

application/json

Required - A JSON representation of the AQL expression object.
  • regex_property_identifier - Optional - String - The identifier of the event regex property to which this expression belongs.
  • enabled - Optional - Boolean - Flag that indicates whether this expression is enabled.
  • expression - String - The AQL expression used by the event property.
  • payload - Optional - String - Test payload. This parameter is only used in the UI so that you can verify that your expression matches the expected payload.
  • log_source_type_id - Optional - Integer - The expression is only applied to events for this log source type.
  • log_source_id - Optional - Integer - The expression is only applied to events for this log source (more specific than type alone).
  • qid - Optional - Integer - The expression is only applied to events associated with this QID record.
  • low_level_category_id - Optional - Integer - The expression is only applied to events with this low level category.
  • username - Optional - String - The owner of the AQL expression. If the input username is an authorized service, the prefix "API_token: " is required.

{ "creation_date": 42, "enabled": true, "expression": "String", "id": 42, "identifier": "String", "log_source_id": 42, "log_source_type_id": 42, "low_level_category_id": 42, "modification_date": 42, "payload": "String", "qid": 42, "regex_property_identifier": "String", "username": "String" }

Table 4. POST /config/event_sources/custom_properties/property_aql_expressions/{expression_id} response codes
HTTP Response Code Unique Code Description

200

The AQL expression was updated.

403

1009

The user cannot update the resource because it only can be updated by the owner or admin user.

404

1002

The requested AQL expression cannot be found.

422

1005

One or more parameters are invalid in request.

500

1020

An error occurred during the attempt to update an AQL expression.

Response Description

The updated AQL expression object contains the following fields:
  • id - Integer - The sequence ID of the AQL expression.
  • identifier - String - The unique ID of the AQL expression. This value is in the form of a UUID.
  • regex_property_identifier - String - The identifier of the event regex property to which this expression belongs.
  • enabled - Boolean - Flag that indicates whether this expression is enabled.
  • expression - String - The AQL expression used by the event property.
  • creation_date - Long - The epoch timestamp in milliseconds of the time the expression was created.
  • modification_date - Long - The epoch timestamp in milliseconds of the time the expression was last modified.
  • payload - String - Test payload. This parameter is only used in the UI so that you can verify that your expression matches the expected payload.
  • log_source_type_id - Integer - The expression is only applied to events for this log source type.
  • log_source_id - Integer - The expression is only applied to events for this log source (more specific than type alone).
  • qid - Integer - The expression is only applied to events associated with this QID record.
  • low_level_category_id - Integer - The expression is only applied to events with this low level category.
  • username - String - The owner of the AQL expression.

Response Sample


{
    "creation_date": 42,
    "enabled": true,
    "expression": "String",
    "id": 42,
    "identifier": "String",
    "log_source_id": 42,
    "log_source_type_id": 42,
    "low_level_category_id": 42,
    "modification_date": 42,
    "payload": "String",
    "qid": 42,
    "regex_property_identifier": "String",
    "username": "String"
}