POST /ariel/searches/{search_id}

Updates an Ariel search.

Updates details for an Ariel search. You can update searches in the following ways:
  • To cancel an active search, set the status parameter to CANCELED. This stops the search and keeps any search results that were collected before the search was canceled.
  • The results for a completed search can be saved by setting the save_results parameter to true. This ensures that the search is not automatically removed when it expires in accordance with the retention policy.

The Ariel server uses an internal retention policy to manage available disk space. Searches might be deleted automatically, according to the settings of the retention policy. Searches with saved results are not automatically reclaimed by the server and are therefore retained. A search can be explicitly deleted by using the DELETE /searches/{search_id} endpoint.

Note: Saving too many search results might result in insufficient disk space to process new searches.
Table 1. POST /ariel/searches/{search_id} resource details
MIME Type

application/json

Table 2. POST /ariel/searches/{search_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description

search_id

path

Required

String

text/plain

Required. The ID of the search to update.

status

query

Optional

String

text/plain

Optional. The only accepted value is CANCELED. If this value is provided, the search is canceled.

save_results

query

Optional

String

text/plain

Optional. The only accepted value is true. If this value is provided, the search results are not deleted by the search expiration removal process. If status parameter was provided, this parameter is not checked and silently ignored.

Table 3. POST /ariel/searches/{search_id} response codes
HTTP Response Code Unique Code Description

200

The search was updated.

404

1002

The search does not exist.

422

1005

A request parameter is not valid.

500

1020

An error occurred during the attempt to update the search.

503

1010

The Ariel server might be temporarily unavailable or offline. Please try again later.

Response Description

Information about the specified search that was updated.

Response Sample


{
  "cursor_id": "s16",
  "compressed_data_file_count": 0,
  "compressed_data_total_size": 0,
  "data_file_count": 5470,
  "data_total_size": 67183115,
  "index_file_count": 0,
  "index_total_size": 0,
  "processed_record_count": 1256462,
  "error_messages": [
    {
      "code": "String",
      "contexts": [
        "String"
      ],
      "message": "String",
      "severity": "String <one of: INFO, WARN, ERROR>"
    }
  ],
  "desired_retention_time_msec": 86400000,
  "progress": 46,
  "progress_details": [
    0,
    0,
    0,
    0,
    66957,
    652657,
    76594,
    89809,
    86032,
    107729
  ],
  "query_execution_time": 1480,
  "query_string": "SELECT sourceip, starttime, qid, sourceport  from events into s16 where sourceip in (select destinationip from events) parameters snapshotsize=2, PROGRESSDETAILSRESOLUTION=10",
  "record_count": 1240923,
  "save_results": false,
  "status": "String <one of: WAIT, EXECUTE, SORTING, COMPLETED, CANCELED, ERROR>",
  "snapshot": {
    "events": [
      {
        "sourceip": "10.100.65.20",
        "starttime": 1467049610018,
        "qid": 10034,
        "sourceport": 13675
      },
      {
        "sourceip": "10.100.100.121",
        "starttime": 1467049610019,
        "qid": 20034,
        "sourceport": 80
      }
    ]
  },
  "subsearch_ids": [
     "sub_id_1"
   ],
  "search_id": "s16"
}