For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Icon for Altocumulus rank

Altocumulus

Jan 31, 2023

Solved

BIG-IQ RestAPI - retrieve customized Web Application Security Event Log

Hello ,

As per following example, https://clouddocs.f5.com/products/big-iq/mgmt-api/v0.0/HowToSamples/bigiq_public_api_wf/asm/t_get_event_log_record_by_support_id.html we can retrieve info about the Web Application Security Events .

Is there any way to make the BIG-IQ to return only specific parameter not the whole event log ?? I am looking to return only the "sig_ids[]" .

Thanks!

gbogdan
Feb 24, 2023
This is how can be done :

POST /mgmt/cm/shared/es/logiq/asmindex/_search?filter_path=hits.hits._source
Request Body:
{       "query":{
"query_string":{
"query":"support_id: 123456789"          }
},
"_source": "staged_sig_ids",               <====
"from":0,
"size":50,
"sort":{          "date_time":"desc"       }
}

5 Replies

JRahm
Admin
Feb 02, 2023
I haven't used the big-iq api, but I think the same url query parameters work there. So using $select=<param> might work in theory. The challenge looking at the data though is that sig_ids is nested three levels deep:

hits -> hits -> _source -> sig_ids

Do you have the reference for what the query options are in the POST? Example from the link you provided..

{ "query":{ "query_string":{ "query":"support_id: 10961136626817826933" } }, "from":0, "size":50, "sort":{ "date_time":"desc" } }
- gbogdan
  Altocumulus
  Feb 03, 2023
  Hello JRahm ,
  
  Thanks for your response .
  
  Unfortunately , that page is the only information I have . Is there any place where I can find more details ?
  
  Also , I see this example https://clouddocs.f5.com/products/big-iq/mgmt-api/v0.0/ApiReferences/bigiq_public_api_ref/r_analytics_event_query.html?highlight=security%20events , which using a different path , but I am not sure how to apply it to Web Application Security Events .
  
  EDITED by Leslie_Hubertus: tagged JRahm to make sure he sees this reply for follow-up 🙂
  - JRahm
    Admin
    Feb 10, 2023
    Hi gbogdan, I have inquired internally, but this might require a support case to get the right eyes on it.
gbogdan
Altocumulus
Feb 24, 2023
This is how can be done :

POST /mgmt/cm/shared/es/logiq/asmindex/_search?filter_path=hits.hits._source
Request Body:
{       "query":{
"query_string":{
"query":"support_id: 123456789"          }
},
"_source": "staged_sig_ids",               <====
"from":0,
"size":50,
"sort":{          "date_time":"desc"       }
}
- Leslie_Hubertus
  Ret. Employee
  Mar 02, 2023
  Thanks for following up with your solution!

F5 Academy at AppWorld 2026

DevCentral News

Aswin MK - November 2025 Featured Member

DevCentral News

Introducing the F5 AI Assistant for BIG-IP

Technical Articles

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5