Start Aggregation Search on Enriched Events (v1)
POST {{cb_url}}/api/investigate/v1/orgs/{{cb_org_key}}/enriched_events/aggregation_jobs/{{cb_aggregation_field}}
Starts a search that groups results by the field supplied in the aggregation_field element of the path.
RBAC PERMISSIONS REQUIRED
| Permission (.notation name) | Operation(s) |
|---|
| org.search.events | READ |
Body Schema
| Field | Definition | Data Type | Values | Required |
|---|
criteria | Criteria is an object that represents values that must be in the results. Either query or criteria/exclusion must be included. | Object | { "process_name": [ "chrome.exe" ] } | No |
exclusions | Exclusions is a map that represents values that must not be in the results. Either query or criteria/exclusion must be included. | Object | { "process_name": [ "chrome.exe" ] } | No |
fields | A list of fields to include in the results, specify * to return all the default fields and add additional fields that are not returned by default | Array | [ "*", "process_start_time" ] Default: ["*"] | No |
query | Query in lucene syntax and/or including value searches. Either query or criteria/exclusion must be included. | String | N/A | No |
rows | Number of rows to request, can be paginated | Long | Default: 500 Max: 10k | No |
sort | Sort is a collection of sort parameters that specify a field and order to sort the results. | Array | [{ "field": "device_timestamp", "order": "asc" }] | No |
start | First row to use for pagination | Long | Default: 0 | No |
time_range | Describes a time window to restrict the search to match using device_timestamp as the reference. Window will take priority over start and end if provided. | Object | { "end": "2020-01-21T18:34:04Z", "start": "2020-01-18T18:34:04Z", "window": "-2w" } | No |
See Documentation
Request Body
{"query"=>"process_hash:0fb7e2661ad9c52dc97e3f7c0d615c22e2e4e298ef8e1a41c7fa1fc642cc60bc", "rows"=>500}
| Key | Datatype | Required | Description |
|---|
Content-Type | string | | |