• 1 reply
  • Latest Post - ‏2016-07-11T16:38:24Z by Jason Keirstead (IBM)
1 Post

Pinned topic Dateformat via API

‏2016-06-16T12:56:15Z | dateformat


I am trying to run the following query via API, but I get an error. It runs fine via gui, is the dateformat function not supported via API?

[restapi_client]# /opt/qradar/api/bin/apiClientDir/restapi_client/ --output csv --no_verify --query='SELECT "Instance (Guardium)", "DATEFORMAT(startTime,'YYYY-MM-d')" FROM events WHERE logSourceId = '6794' LAST 8 HOURS'
The API returned HTTP code 422, 201 expected.
    "message": "Field \"DATEFORMAT(startTime,YYYY-MM-d)\" does not exist in catalog \"events\"\nstance (Guardium)\", \"DATEFORMAT(startTime\n                    ^",
    "code": 2000,
    "details": {
        "line_number": 1,
        "code": 28512,
        "reason": "FieldNotExist",
        "token_text": "DATEFORMAT(startTime,YYYY-MM-d)",
        "query_string": "SELECT \"Instance (Guardium)\", \"DATEFORMAT(startTime,YYYY-MM-d)\" FROM events WHERE logSourceId = 6794 LAST 8 HOURS",
        "start_index": 30
    "http_response": {
        "message": "The request was well-formed but was unable to be followed due to semantic errors",
        "code": 422
    "description": "The query_expression contains invalid AQL syntax."


  • Jason Keirstead (IBM)
    16 Posts

    Re: Dateformat via API


    The DATEFORMAT portion should not be encased in double-quotes, that is the issue.