response-logs

Retrieves response logs from integrated security devices. You can specify a time range, sort order, and maximum record count.

Command properties

Item	Description
Command type	Driver query
Required permission	Login required
License usage	N/A
Parallel execution	Not supported
Distributed execution	Not supported

Syntax

response-logs [duration=INT{s|m|h|d|mon}] [from=STR] [to=STR] [order={asc|desc}] [offset=INT] [limit=INT]

Options

duration=INT{s|m|h|d|mon}: Restricts the query range to logs within a given time window from the current time. Specify the unit as s (seconds), m (minutes), h (hours), d (days), or mon (months).
from=STR: Start time of the query range. Specify in yyyyMMddHHmmss format. Trailing digits can be omitted and will be padded with zeros.
to=STR: End time of the query range. Specify in yyyyMMddHHmmss format. Trailing digits can be omitted and will be padded with zeros.
order={asc|desc}: Query order

asc: Retrieves data from oldest to newest
desc: Retrieves data from newest to oldest

offset=INT: Number of records to skip. Specify a non-negative integer.
limit=INT: Maximum number of records to retrieve. Specify a non-negative integer. 0 means no limit.

Output fields

Field	Type	Description
`_time`	timestamp	Response time
`_id`	long	Record ID
`device_name`	string	Security device name
`device_ip`	ipaddr	Security device IP address
`device_port`	port	Security device port
`action`	string	Response action
`type`	string	Response type
`value`	string	Response target value (IP, domain, etc.)

Error codes

Parse errors

Error code	Message	Description
300401	The `from` option value must be in yyyyMMddHHmmss format.	The date format of the `from` option value is invalid
300402	The `to` option value must be in yyyyMMddHHmmss format.	The date format of the `to` option value is invalid
300403	Negative values are not allowed for the offset option.	The `offset` option value is negative
300404	Negative values are not allowed for the limit option.	The `limit` option value is negative

Runtime errors

N/A

Description

The response-logs command retrieves response logs recorded through security device integrations. Data is retrieved from the table (sonar_response_XXXXX) corresponding to the organization (company) of the currently logged-in user.

If both the duration and from options are specified, the from option takes precedence.

Examples

Retrieving response logs for the last 1 hour
```
response-logs duration=1h
```
Retrieves response logs from the last 1 hour.
Querying with a specified time range
```
response-logs from=20260301 to=20260401
```
Retrieves response logs for the entire month of March 2026.
Retrieving the latest data first
```
response-logs duration=1d order=desc limit=100
```
Retrieves up to 100 response logs from the last 1 day, starting with the newest.
Aggregating by response type
```
response-logs duration=7d
| stats count by type, action
| sort count desc
```
Aggregates response logs from the last 7 days by type and action.