Create Exception Rule
Registers a new exception rule for the specified scenario. Events that match the condition tree are excluded from scenario matching.
Required Permissions
Requires the ADMIN role or higher. The condition tree allows up to 50 leaf conditions, up to 10 group nodes, and a maximum tree depth of 3. The description is limited to 2000 characters, and field names must be 1 to 128 characters from A-Z, a-z, 0-9, _, ., -.
HTTP Request
POST /api/sonar/exception-rules
cURL Example
curl -H "Authorization: Bearer <API_KEY>" \
-H "Content-Type: application/json" \
-X POST \
-d '{
"type": "stream",
"scenario_guid": "4d2f8a31-9b21-4d12-8a90-7f1c1a2b3c4d",
"description": "Maintenance window IP exception",
"exprs": {
"operator": "AND",
"operands": [
{
"field": "src_ip",
"type": "IP",
"operator": "EQ",
"value": "192.0.2.10"
}
]
},
"valid_from": "2026-04-01 00:00:00+0900",
"valid_until": "2026-05-01 00:00:00+0900"
}' \
https://HOSTNAME/api/sonar/exception-rules
Request Parameters
| Key | Required | Type | Description | Notes |
|---|---|---|---|---|
| type | Yes | String | Scenario type | One of stream or batch |
| scenario_guid | Yes | String | Scenario identifier | 36-character GUID |
| description | No | String | Description | Up to 2000 characters |
| exprs | Yes | String map | Condition tree | A leaf or node expression object |
| valid_from | Yes | Timestamp | Validity start time | Format: yyyy-MM-dd HH:mm:ssZ |
| valid_until | Yes | Timestamp | Validity end time | Format: yyyy-MM-dd HH:mm:ssZ. Must be later than valid_from |
exprs object properties
The condition tree is composed of node expressions and leaf expressions.
- Node expression
- operator (String, required): Node operator. One of
AND,OR,NOT,SRC_IP,DST_IP,SRC_IP_DST_IP.NOT,SRC_IP, andDST_IPaccept exactly one operand;SRC_IP_DST_IPaccepts exactly two operands - operands (Array, required): Child expressions. Each item is a node or a leaf expression
- operator (String, required): Node operator. One of
- Leaf expression
- field (String, required): Field name. Must match
^[a-zA-Z0-9_.-]{1,128}$ - type (String, required): Field type. One of
STRING,NUMBER,BOOLEAN,IP - operator (String, required): Comparison operator. Allowed operators depend on the type:
STRING:EQ,NEQ,STARTS_WITH,ENDS_WITH,CONTAINS,IS_NULL,IS_NOT_NULLNUMBER:EQ,NEQ,GT,GTE,LT,LTE,IS_NULL,IS_NOT_NULLBOOLEAN:EQ,NEQ,IS_NULL,IS_NOT_NULLIP:EQ,NEQ,IS_NULL,IS_NOT_NULL
- value (String|Number|Boolean): Comparison value. Omitted for
IS_NULLandIS_NOT_NULL. For theIPtype, supply an IPv4 or IPv6 address string
- field (String, required): Field name. Must match
Success Response
{
"guid": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}
- guid (String): Identifier of the newly created exception rule
Error Responses
Required argument is missing
HTTP status code 400
{
"error_code": "null-argument",
"error_msg": "type should be not null"
}
Scenario not found
HTTP status code 500
{
"error_code": "illegal-state",
"error_msg": "scenario not found: 4d2f8a31-9b21-4d12-8a90-7f1c1a2b3c4d"
}
Description exceeds 2000 characters
HTTP status code 400
{
"error_code": "invalid-argument",
"error_msg": "description is too long"
}
Invalid validity period
HTTP status code 500
{
"error_code": "illegal-argument",
"error_msg": "valid_from should be earlier than valid_until"
}
Condition tree limits exceeded
HTTP status code 500
{
"error_code": "illegal-argument",
"error_msg": "too many conditions: 51"
}
Malformed condition tree
HTTP status code 500
{
"error_code": "illegal-argument",
"error_msg": "unsupported operator for type [STRING]: GT"
}
No permission
HTTP status code 500
{
"error_code": "illegal-state",
"error_msg": "no-permission"
}