I use API to create search
https://[IPaddress]:8089/services/search/jobs
Body:
search sourcetype = ipfix | regex destinationIPv4Address = "^(12\.10\.2\.(?:[0-9]|[1-9][0-9]|1(?:[0-9][0-9])|2(?:[0-4][0-9]|5[0-5])))$" | stats sum(eval(octetDeltaCount/4)) as Traffic count(Sequence) as Hint values(protocol) by sourceIPv4Address destinationIPv4Address protocolIdentifier destinationTransportPort sourceTransportPort | eval protocol=case(protocolIdentifier ==1 ,"ICfMP", protocolIdentifier ==4 ,"IP", protocolIdentifier ==6 ,"ICfMP", protocolIdentifier ==17 ,"UDP",protocolIdentifier ==88 ,"EIGRP",protocolIdentifier ==89 ,"OSPF",protocolIdentifier ==103 ,"PIM",protocolIdentifier ==143 ,"EThernet") | stats sum(eval(abs(Hint/4))) as TotalHint values(sourceIPv4Address) values(sourceTransportPort) values(destinationIPv4Address) values(destinationTransportPort) values(description) values(protocol) values(protocolIdentifier) values(Traffic) by sourceIPv4Address destinationIPv4Address protocolIdentifier | append [search sourcetype %3d ipfix | regex sourceIPv4Address = "^(12\.10\.2\.(?:[0-9]|[1-9][0-9]|1(?:[0-9][0-9])|2(?:[0-4][0-9]|5[0-5])))$" | stats sum(eval(octetDeltaCount/4)) as Traffic count(Sequence) as Hint values(protocol) by sourceIPv4Address destinationIPv4Address protocolIdentifier destinationTransportPort sourceTransportPort | eval (protocol=case(protocolIdentifier ==1 ,"ICfMP", protocolIdentifier ==4 ,"IP", protocolIdentifier ==6 ,"ICfMP", protocolIdentifier ==17 ,"UDP",protocolIdentifier ==88 ,"EIGRP",protocolIdentifier ==89 ,"OSPF",protocolIdentifier ==103 ,"PIM",protocolIdentifier ==143 ,"EThernet") | stats sum(eval(abs(Hint/4))) as TotalHint values(sourceIPv4Address) values(sourceTransportPort) values(destinationIPv4Address) values(destinationTransportPort) values(description) values(protocol) values(protocolIdentifier) values(Traffic) by sourceIPv4Address destinationIPv4Address protocolIdentifier]
but when I use GET to receive result I receive 204 no content message
HTTPS://[Ip address]:8089/services/search/jobs/1619301754.208/results
I used %3d instead of = in the sourcetype but it does not work
anybody faced this issue?
