POST /ariel/searches

Create a new asynchronous Ariel search.

Creates a new Ariel search as specified by the Ariel Query Language (AQL) query expression. Searches are executed asynchronously. A reference to the search ID is returned and should be used in subsequent API calls to determine the status of the search and retrieve the results once it is complete.

This endpoint only accepts SELECT query expressions.

Queries are applied to the range of data in a certain time interval. By default this time interval is the last 60 seconds. An alternative time interval can be specified by specifying them as part of the query expression. For further information, see the AQL reference guide.

Table 1. POST /ariel/searches resource details
MIME Type

application/json

Table 2. POST /ariel/searches request parameter details
Parameter Type Optionality Data Type MIME Type Description

query_expression

query

Optional

String

text/plain

Optional - The AQL query to execute. Mutually exclusive with saved_search_id

saved_search_id

query

Optional

Number (Integer)

text/plain

Optional - Saved search ID to execute. Mutually exclusive with queryExpression

Table 3. POST /ariel/searches response codes
HTTP Response Code Unique Code Description

201

A new Ariel search was successfully created.

404

1002

The Ariel saved search does not exist.

409

1004

The search cannot be created. The requested search ID that was provided in the query expression is already in use. Please use a unique search ID (or allow one to be generated).

422

2000

The query_expression contains invalid AQL syntax.

422

1005

A request parameter is not valid.

500

1020

An error occurred during the attempt to create a new search.

503

1010

The Ariel server might be temporarily unavailable or offline. Please try again later.

Response Description

Information about the specified search, including the search ID. Use the search ID to access or manipulate the search with the other API endpoints. If the exact search being created was already recently created, the response message will return a reference to the original search ID rather than creating a new search.

Response Sample


{
  "cursor_id": "s16",
  "compressed_data_file_count": 0,
  "compressed_data_total_size": 0,
  "data_file_count": 5470,
  "data_total_size": 67183115,
  "index_file_count": 0,
  "index_total_size": 0,
  "processed_record_count": 1256462,
  "error_messages": [
    {
      "code": "String",
      "contexts": [
        "String"
      ],
      "message": "String",
      "severity": "String <one of: INFO, WARN, ERROR>"
    }
  ],
  "desired_retention_time_msec": 86400000,
  "progress": 46,
  "progress_details": [
    0,
    0,
    0,
    0,
    66957,
    652657,
    76594,
    89809,
    86032,
    107729
  ],
  "query_execution_time": 1480,
  "query_string": "SELECT sourceip, starttime, qid, sourceport  from events into s16 where sourceip in (select destinationip from events) parameters snapshotsize=2, PROGRESSDETAILSRESOLUTION=10",
  "record_count": 1240923,
  "save_results": false,
  "status": "String <one of: WAIT, EXECUTE, SORTING, COMPLETED, CANCELED, ERROR>",
  "snapshot": {
    "events": [
      {
        "sourceip": "10.100.65.20",
        "starttime": 1467049610018,
        "qid": 10034,
        "sourceport": 13675
      },
      {
        "sourceip": "10.100.100.121",
        "starttime": 1467049610019,
        "qid": 20034,
        "sourceport": 80
      }
    ]
  },
  "subsearch_ids": [
     "sub_id_1"
   ],
  "search_id": "s16"
}