Skip to main content

Search Parameters

Send the search parameters in the POST request body to narrow down the search results returned by the /netwrix/api/v1/activity_records/search endpoint. The Search parameters file includes one or more filters with operators and values (e.g., to find entries where data source is SharePoint); it may also contain a Continuation Mark. Generally, the Search parameters file looks similar to the following:

XML:

<?xml version="1.0" encoding="utf-8"?>
<ActivityRecordSearch xmlns="http://schemas.netwrix.com/api/v1/activity_records/">
    <ContinuationMark>Continuation mark</ContinuationMark>
    <FilterList>
        <Filter1>Value</Filter1>
        <Filter2>Value1</Filter2>
        <Filter2>Value2</Filter2>
        <Filter3 Operator="MatchType1">Value1</Filter3>
        <Filter3 Operator="MatchType2">Value2</Filter3>
        <Filter4>Value1</Filter4>
        <Filter4 Operator="MatchType">Value2</Filter4>
    </FilterList>
</ActivityRecordSearch>

JSON:

{
    "ContinuationMark": "Continuation Mark",
    "FilterList": {
        "Filter1": "Value",
        "Filter2": ["Value1", "Value2"],
        "Filter3": {
            "MatchType1": "Value1",
            "MatchType2": "Value2"
        },
        "Filter4": [
            "Value1",
            {"MatchType": "Value2"}
        ]
    }
}

Ensure to pass information about transferred data, including Content-Type:application/xml or application/json and encoding. The syntax greatly depends on the tool you use.

Schema

FormatSchema description
XMLThe file must be compatible with the XML schema. On the computer where Auditor Server resides, you can find XSD file under Netwrix_Auditor_installation_folder\Audit Core\API Schemas. The ActivityRecordSearch root element includes the FilterList element with one or more Filter elements inside. The root element may contain a ContinuationMark element. Each Filter specified within the FilterList must have a value to search for. The element may also include a modifier—a match type operator. minOccurs="0" indicates that element is optional and may be absent in the Search parameters. filterschema
JSONThe FilterList object includes with one or more Filter entries inside. JSON may contain a ContinuationMark object. Each Filter specified within the FilterList must have a value to search for. The entry may also include a modifier—a match type operator.

Review the following for additional information:

Example

XML:

<?xml version="1.0" encoding="utf-8"?>
<ActivityRecordSearch xmlns="http://schemas.netwrix.com/api/v1/activity_records/">
    <FilterList>
        <Who Operator="NotEqualTo">Administrator</Who>
        <MonitoringPlan>My Hybrid Cloud enterprise</MonitoringPlan>
        <DataSource>Active Directory</DataSource>
        <DataSource Operator="StartsWith">Exchange</DataSource>
        <Action>Removed</Action>
        <Action>Added</Action>
        <ObjectType Operator="DoesNotContain">Group</ObjectType>
        <When>
            <From>2016-01-16T16:30:00+11:00</From>
            <To>2017-01-01T00:00:00Z</To>
        </When>
    </FilterList>
</ActivityRecordSearch>

JSON:

{
    "FilterList": {
        "Who": {
            "NotEqualTo": "Administrator"
        },
        "MonitoringPlan": "My Hybrid Cloud enterprise",
        "DataSource": [
            "Active Directory",
            { "StartsWith": "Exchange" }
        ],
        "Action": [
            "Added",
            "Removed"
        ],
        "ObjectType": {
            "DoesNotContain": "Group"
        },
        "When": {
            "From": "2016-01-16T16:30:00+11:00",
            "To": "2017-01-01T00:00:00Z"
        }
    }
}