'HTTP/2 500 server' Error while requesting XQL query result over API

Syed-Aqeel · ‎07-17-2021

hi there,

I'm quite new to cortex, gone through the guide available on the site but nothing related to the following error:

HTTP/2 500 server: openresty/1.15.8.2 date: Sun, 18 Jul 2021 05:26:48 GMT content-type: application/json content-length: 131 strict-transport-security: max-age=15724800; includeSubDomains x-frame-options: sameorigin {"reply": {"err_code": 500, "err_msg": "An error occurred while processing XDR public API", "err_extra": "query param is missing"}}

Thats my query : { "request_data": { "query_id": "0427e489ea6b42_2749_inv" } }

Any help/directions !!

etugriceri · ‎07-19-2021

Hello Syed,

I guess your payload is either not JSON object or has kind of escape char problem.

could you share you query and also more detail about query method. (via python, curl etc)

gjenkins · ‎07-19-2021

@Syed-Aqeel wrote:
hi there,

I'm quite new to cortex, gone through the guide available on the site but nothing related to the following error:

HTTP/2 500 server: openresty/1.15.8.2 date: Sun, 18 Jul 2021 05:26:48 GMT content-type: application/json content-length: 131 strict-transport-security: max-age=15724800; includeSubDomains x-frame-options: sameorigin {"reply": {"err_code": 500, "err_msg": "An error occurred while processing XDR public API", "err_extra": "query param is missing"}}

Thats my query : { "request_data": { "query_id": "0427e489ea6b42_2749_inv" } }

Any help/directions !!

Hi @Syed-Aqeel,

I agree with @etugriceri in that your inquiry is missing critical information. At a minimum, we would need to know what API call URL you are attempting to use to understand the error being presented. Sharing that, or better yet, the entire API call code excluding sensitive information would be beneficial in understanding the error and providing you with the best guidance.

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events!

*Cortex XDR Customer Corner: https://live.paloaltonetworks.com/t5/cortex-xdr-customer-corner/ct-p/Cortex_XDR_Customer_Corner

Join our Cortex XDR Office Hours to receive live guidance and training from our Customer Success Architects.

*Cortex XDR Office Hours [NAM]: https://paloaltonetworks.zoom.us/webinar/register/3316669859020/WN_yMpAB-aBTt6xk2h-gsra4w
*Cortex XDR Office Hours [EMEA/APAC]: https://paloaltonetworks.zoom.us/webinar/register/4116709604301/WN_CZuFE5CHQbG9LUEqugsIOw

Syed-Aqeel · ‎07-24-2021

HI im using curl.
here's how I am trying it.

$results= '{
"request_data": {
"query_id": "'.$check.'"

}
}';
$gR=curl_init();
curl_setopt($gR, CURLOPT_URL, 'https://api-*****.xdr.sg.paloaltonetworks.com/public_api/v1/xql/start_xql_query/');
curl_setopt($gR,CURLOPT_POST,true);
curl_setopt($gR, CURLOPT_POSTFIELDS, $results);
curl_setopt($gR, CURLOPT_HEADER, true);
curl_setopt($gR, CURLOPT_HTTPHEADER, [
'x-xdr-auth-id:2',
'Authorization:xyzyxyzxyxyzyxyzxyzroCJWBbmlsQwqTKGDJcxgttnRWSSTd',
'Content-Type: application/json'
]);

where $check is the execution id from 'Start an xql query' result.

Syed-Aqeel · ‎07-24-2021

Hi @gjenkins & @etugriceri

Just figured out, I was passing the 'start an xql query' URL instead of 'get an xql query result' request..

Replaced: curl_setopt($gR, CURLOPT_URL, 'https://api-*****.xdr.sg.paloaltonetworks.com/public_api/v1/xql/start_xql_query/');
to the following and it partially worked
curl_setopt($gR, CURLOPT_URL, 'https://api-****.xdr.sg.paloaltonetworks.com/public_api/v1/xql/get_query_results/');

but its partially fixed it because i'm getting a new https response, i-e 200

HTTP/2 200 server: openresty/1.15.8.2 date: Sun, 25 Jul 2021 21:57:48 GMT content-type: application/json content-length: 643 vary: Accept-Encoding strict-transport-security: max-age=15724800; includeSubDomains set-cookie: XSRF-TOKEN=roCJxyzxyzxzyxyzxyzyxyz

etugriceri · ‎07-26-2021

Hello Syed,

Thats right. You need to use two URL to getting results. I think you are getting result now. Your response has "content-length: 643". You have something from API. As you can see below my result as 172 byte. This is for empty result.

Could you try manually query without using it in script?

here is the sample.

curl -v -X POST https://api-****.xdr.sg.paloaltonetworks.com/public_api/v1/xql/get_query_results/ \
-H "x-xdr-auth-id:xxxxx" \
-H "Authorization: xxxxxxx" \
-H "Content-Type:application/json" \
-d '{
"request_data": {
"query_id": "a409exxxx2f845_12739_inv",
"pending_flag": true,
"limit": 100,
"format": "json"
}
}'

* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
* We are completely uploaded and fine
< HTTP/2 200
< server: openresty/1.15.8.2
< date: Mon, 26 Jul 2021 07:32:19 GMT
< content-type: application/json
< content-length: 172
< strict-transport-security: max-age=15724800; includeSubDomains
< set-cookie: XSRF-TOKEN=fh3H.....OCeeVnPev3KgsM..............YOzev2Xzv2Hl6L9cemgIFeMicNfqIj...........482SywxrHOV4ppHbv; secure;Path=/
< vary: Accept-Encoding
< x-frame-options: sameorigin
<
* Connection #0 to host api-xxxxx.xdr.eu.paloaltonetworks.com left intact
{"reply": {"status": "SUCCESS", "number_of_results": 0, "query_cost": {"1088703292": 0.0007808333333333334}, "remaining_quota": 7.499219166666666, "results": {"data": []}}}* Closing connection 0

Unlock your full community experience!

'HTTP/2 500 server' Error while requesting XQL query result over API

'HTTP/2 500 server' Error while requesting XQL query result over API

Show your appreciation!