sonar-ticket-events
Retrieves the list of events contained in the ticket with the specified GUID.
Command properties
| Item | Description |
|---|---|
| Command type | Driver query |
| Required permission | Login required |
| License usage | N/A |
| Parallel execution | Not supported |
| Distributed execution | Not supported |
Syntax
sonar-ticket-events guid=STR
Options
guid=STR- GUID of the ticket whose events you want to retrieve
Output fields
| Field | Type | Description |
|---|---|---|
_time | timestamp | Event time |
priority | string | Priority. HIGH, MEDIUM, LOW |
guid | string | Event GUID |
device_name | string | Device name |
device_ip | ipaddr | Device IP address |
site | string | Site name |
ticket_guid | string | Ticket GUID |
rule_id | integer | Scenario ID |
rule_type | string | Scenario type. STREAM, BATCH |
rule_name | string | Scenario name |
user | string | Account |
host_ip | ipaddr | Host IP address |
src_ip | ipaddr | Source IP address |
src_country | string | Source country code. Example: KR |
src_port | integer | Source port |
dst_ip | ipaddr | Destination IP address |
dst_country | string | Destination country code. Example: KR |
dst_port | integer | Destination port |
protocol | string | Protocol. Example: TCP, UDP, ICMP |
action | string | Action. Example: PERMIT, DENY |
mail_from | string | Sender address |
mail_to | string | Recipient address |
mail_cc | string | CC address |
md5 | string | MD5 hash |
url | string | URL |
msg | string | Message |
logger_id | integer | Logger ID |
logger_name | string | Logger name |
field_order | string | Field order |
Error codes
Parse errors
| Error code | Message | Description |
|---|---|---|
| 300101 | 유효하지 않은 세션입니다. | The session is invalid or the user cannot be found. |
| 300133 | sonar-ticket-events 명령어에 guid 옵션을 지정하세요. | The guid option is not specified. |
| 300134 | sonar-ticket-events 명령어의 guid 옵션 값은 GUID 형식이어야 합니다. | The guid option value is not in GUID format. |
| 300135 | 지정된 티켓이 존재하지 않습니다. | No ticket exists for the specified GUID. |
Runtime errors
N/A
Description
The sonar-ticket-events command retrieves the list of events linked to the ticket with the specified GUID. If the ticket does not exist, a parse error occurs.
Examples
-
Retrieve the event list for a specific ticket
sonar-ticket-events guid="550e8400-e29b-41d4-a716-446655440000"Retrieves the list of events contained in the ticket with the specified GUID.
-
Aggregate events by source IP
sonar-ticket-events guid="550e8400-e29b-41d4-a716-446655440000" | stats count by src_ip | sort count descAggregates ticket events by source IP and sorts them in descending order.