topic Palo Alto Cortex IIS API Query in Cortex XDR Discussions

Palo Alto Cortex IIS API Query

sushant1601 — Mon, 14 Apr 2025 12:53:03 GMT

Hello Everyone,

We ingest IIS logs by querying Cortex using a custom-built sensor utility. Recently, we've started encountering a NullPointerException. Upon investigating in our test environment, we found that the issue is related to a field in the query result that represents the API query cost, which we use internally for debug logging.

Previously, the field was returned as query_cost, but it now appears to have been renamed to query_cost_charged. Since our sensor still expects the original query_cost field, it fails with a NullPointerException.

Could someone please confirm if this field name change was made on the API side, and share any relevant documentation or release notes regarding this update?

Thank you in advance!

Re: Palo Alto Cortex IIS API Query

aspatil — Thu, 17 Apr 2025 07:13:48 GMT

I understand you're seeking information about the query_cost_charged field in Cortex XDR. As of now, the official Cortex XDR documentation does not explicitly mention a field named query_cost_charged. The documentation refers to the "query cost" associated with each API query, which is displayed in the Get Query Results API.

It's possible that the field name query_cost_charged is used internally or has been introduced in recent updates without being reflected in the public documentation. To obtain the most accurate and up-to-date information, I recommend reaching out directly to Palo Alto Networks support or your account representative. They can provide clarification on the current field names and any recent changes to the API.