sonar-ticket-events

Retrieves the list of events contained in the ticket with the specified GUID.

Command properties

ItemDescription
Command typeDriver query
Required permissionLogin required
License usageN/A
Parallel executionNot supported
Distributed executionNot supported

Syntax

sonar-ticket-events guid=STR

Options

guid=STR
GUID of the ticket whose events you want to retrieve

Output fields

FieldTypeDescription
_timetimestampEvent time
prioritystringPriority. HIGH, MEDIUM, LOW
guidstringEvent GUID
device_namestringDevice name
device_ipipaddrDevice IP address
sitestringSite name
ticket_guidstringTicket GUID
rule_idintegerScenario ID
rule_typestringScenario type. STREAM, BATCH
rule_namestringScenario name
userstringAccount
host_ipipaddrHost IP address
src_ipipaddrSource IP address
src_countrystringSource country code. Example: KR
src_portintegerSource port
dst_ipipaddrDestination IP address
dst_countrystringDestination country code. Example: KR
dst_portintegerDestination port
protocolstringProtocol. Example: TCP, UDP, ICMP
actionstringAction. Example: PERMIT, DENY
mail_fromstringSender address
mail_tostringRecipient address
mail_ccstringCC address
md5stringMD5 hash
urlstringURL
msgstringMessage
logger_idintegerLogger ID
logger_namestringLogger name
field_orderstringField order

Error codes

Parse errors
Error codeMessageDescription
300101Invalid sonar session.The session is invalid or the user cannot be found.
300133Specify guid option in the sonar-ticket-events commandThe guid option is not specified.
300134Specify valid GUID in the sonar-ticket-events command.The guid option value is not in GUID format.
300135Ticket not found.No ticket exists for the specified GUID.
Runtime errors

N/A

Description

The sonar-ticket-events command retrieves the list of events linked to the ticket with the specified GUID. If the ticket does not exist, a parse error occurs.

Examples

  1. Retrieve the event list for a specific ticket

    sonar-ticket-events guid="550e8400-e29b-41d4-a716-446655440000"
    

    Retrieves the list of events contained in the ticket with the specified GUID.

  2. Aggregate events by source IP

    sonar-ticket-events guid="550e8400-e29b-41d4-a716-446655440000"
    | stats count by src_ip
    | sort count desc
    

    Aggregates ticket events by source IP and sorts them in descending order.