Ad hoc queries

What is an ad hoc query?

An ad hoc query is a search query with a start_time, an end_time, and query. It runs asynchronously in the background, and you can poll it periodically to check for results.

An ad hoc query is basically analogous to a query you make in the Search tab in Scanner.

The results of an ad hoc query are tabular, consisting of columns and rows.

There are two ways to execute an ad hoc query: asynchronous and blocking.

How to execute an asynchronous ad hoc query

POST /v1/start_query

To execute an asynchronous ad hoc query, you first create it via POST /v1/start_query request. The Scanner API will return the id of the query, which you can use to poll its status with GET /v1/query_progress requests.

Body

Example

curl $API_BASE/v1/start_query \
-H "Authorization: Bearer $SCANNER_API_KEY" \
-H "Content-Type: application/json" \
-X POST \
-d '{
  "query": "%ingest.source_type: \"aws:cloudtrail\" and sourceIPAddress: 174.23.51.122",
  "start_time": "2024-02-04T01:00:00.000Z",
  "end_time": "2024-02-04T01:30:00.000Z"
}'

Response

{ "qr_id": "37ccf932-42e7-4e2e-b21e-e9f67384bea7" }

{ "error": "Failed to parse query: Type error at 4-7: Function missing arguments" }

Check query progress

GET /v1/query_progress/{qr_id}

Gets the current progress of the query with the supplied qr_id.

Users are expected to run GET requests periodically to check for query results. We recommend checking every 1 second.

Example

curl $API_BASE/v1/query_progress/37ccf932-42e7-4e2e-b21e-e9f67384bea7 \
-H "Authorization: Bearer $SCANNER_API_KEY" \
-H "Content-Type: application/json"

Response

{
  "is_completed": false,
  "results": {
    "column_ordering": [],
    "rows": []
  },
  "metadata": {
    "n_bytes_scanned": 8716223
  }
}

{
  "is_completed" true,
  "results": {
    "column_ordering": ["time", "@index", "raw_event"],
    "rows": [
      { "time": "2024-02-04T01:02:12.210Z", "@index": "global-cloudtrail", "raw_event": "..." },
      { "time": "2024-02-04T01:12:45.761Z", "@index": "global-cloudtrail", "raw_event": "..." },
      { "time": "2024-02-04T01:12:45.761Z", "@index": "global-cloudtrail", "raw_event": "..." },
      ...
    ]
  },
  "metadata": {
    "n_bytes_scanned": 90184761
  }
}

How to execute a blocking ad hoc query

POST /v1/blocking_query

To execute a blocking ad hoc query, you just issue a POST /v1/blocking_query request. The Scanner API will hold the request open until the query completes, or it will time out if the query takes longer than 60 seconds.

Body

Example

curl $API_BASE/v1/blocking_query \
-H "Authorization: Bearer $SCANNER_API_KEY" \
-H "Content-Type: application/json" \
-X POST \
-d '{
  "query": "%ingest.source_type: \"aws:cloudtrail\" and sourceIPAddress: 174.23.51.122",
  "start_time": "2024-02-04T01:00:00.000Z",
  "end_time": "2024-02-04T01:30:00.000Z"
}'

Response

{
  "is_completed" true,
  "results": {
    "column_ordering": ["time", "@index", "raw_event"],
    "rows": [
      { "time": "2024-02-04T01:02:12.210Z", "@index": "global-cloudtrail", "raw_event": "..." },
      { "time": "2024-02-04T01:12:45.761Z", "@index": "global-cloudtrail", "raw_event": "..." },
      { "time": "2024-02-04T01:12:45.761Z", "@index": "global-cloudtrail", "raw_event": "..." },
      ...
    ]
  },
  "metadata": {
    "n_bytes_scanned": 90184761
  }
}