'HTTP/2 500 server' Error while requesting XQL query result over API

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

'HTTP/2 500 server' Error while requesting XQL query result over API

L1 Bithead

hi there, 

 

I'm quite new to cortex, gone through the guide available on the site but nothing related to the following error:

 

HTTP/2 500 server: openresty/1.15.8.2 date: Sun, 18 Jul 2021 05:26:48 GMT content-type: application/json content-length: 131 strict-transport-security: max-age=15724800; includeSubDomains x-frame-options: sameorigin {"reply": {"err_code": 500, "err_msg": "An error occurred while processing XDR public API", "err_extra": "query param is missing"}}

Thats my query : { "request_data": { "query_id": "0427e489ea6b42_2749_inv" } } 

 

Any help/directions !!

5 REPLIES 5

L3 Networker

Hello Syed, 

 

I guess your payload is either not JSON object or has kind of escape char problem. 

could you share you query and also more detail about query method. (via python, curl etc)

 

L4 Transporter

@Syed-Aqeel wrote:

hi there, 

 

I'm quite new to cortex, gone through the guide available on the site but nothing related to the following error:

 

HTTP/2 500 server: openresty/1.15.8.2 date: Sun, 18 Jul 2021 05:26:48 GMT content-type: application/json content-length: 131 strict-transport-security: max-age=15724800; includeSubDomains x-frame-options: sameorigin {"reply": {"err_code": 500, "err_msg": "An error occurred while processing XDR public API", "err_extra": "query param is missing"}}

Thats my query : { "request_data": { "query_id": "0427e489ea6b42_2749_inv" } } 

 

Any help/directions !!


Hi @Syed-Aqeel,

 

I agree with @etugriceri in that your inquiry is missing critical information. At a minimum, we would need to know what API call URL you are attempting to use to understand the error being presented. Sharing that, or better yet, the entire API call code excluding sensitive information would be beneficial in understanding the error and providing you with the best guidance.

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events!

*Cortex XDR Customer Corner: https://live.paloaltonetworks.com/t5/cortex-xdr-customer-corner/ct-p/Cortex_XDR_Customer_Corner

Join our Cortex XDR Office Hours to receive live guidance and training from our Customer Success Architects.

*Cortex XDR Office Hours [NAM]: https://paloaltonetworks.zoom.us/webinar/register/3316669859020/WN_yMpAB-aBTt6xk2h-gsra4w
*Cortex XDR Office Hours [EMEA/APAC]: https://paloaltonetworks.zoom.us/webinar/register/4116709604301/WN_CZuFE5CHQbG9LUEqugsIOw

HI im using curl. 
here's how I am trying it. 

$results= '{
"request_data": {
"query_id": "'.$check.'"

}
}';
$gR=curl_init();
curl_setopt($gR, CURLOPT_URL, 'https://api-*****.xdr.sg.paloaltonetworks.com/public_api/v1/xql/start_xql_query/');
curl_setopt($gR,CURLOPT_POST,true);
curl_setopt($gR, CURLOPT_POSTFIELDS, $results);
curl_setopt($gR, CURLOPT_HEADER, true);
curl_setopt($gR, CURLOPT_HTTPHEADER, [
'x-xdr-auth-id:2',
'Authorization:xyzyxyzxyxyzyxyzxyzroCJWBbmlsQwqTKGDJcxgttnRWSSTd',
'Content-Type: application/json'
]);

 

where $check is the execution id from 'Start an xql query' result. 

Hi @gjenkins & @etugriceri 

Just figured out, I was passing the 'start an xql query' URL instead of  'get an xql query result' request..  

Replaced: curl_setopt($gR, CURLOPT_URL, 'https://api-*****.xdr.sg.paloaltonetworks.com/public_api/v1/xql/start_xql_query/');
to the following and it partially worked 
curl_setopt($gR, CURLOPT_URL, 'https://api-****.xdr.sg.paloaltonetworks.com/public_api/v1/xql/get_query_results/');

but its partially fixed it because i'm getting a new https response, i-e 200 

HTTP/2 200 server: openresty/1.15.8.2 date: Sun, 25 Jul 2021 21:57:48 GMT content-type: application/json content-length: 643 vary: Accept-Encoding strict-transport-security: max-age=15724800; includeSubDomains set-cookie: XSRF-TOKEN=roCJxyzxyzxzyxyzxyzyxyz


L3 Networker

Hello Syed, 

 

Thats right. You need to use two URL to getting results. I think you are getting result now. Your response has "content-length: 643". You have something from API. As you can see below my result as 172 byte. This is for empty result. 

Could you try manually query without using it in script?

 

here is the sample. 

curl -v -X POST https://api-****.xdr.sg.paloaltonetworks.com/public_api/v1/xql/get_query_results/ \
-H "x-xdr-auth-id:xxxxx" \
-H "Authorization: xxxxxxx" \
-H "Content-Type:application/json" \
-d '{
"request_data": {
"query_id": "a409exxxx2f845_12739_inv",
"pending_flag": true,
"limit": 100,
"format": "json"
}
}'

 

 

 

 

* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
* We are completely uploaded and fine
< HTTP/2 200
< server: openresty/1.15.8.2
< date: Mon, 26 Jul 2021 07:32:19 GMT
< content-type: application/json
< content-length: 172
< strict-transport-security: max-age=15724800; includeSubDomains
< set-cookie: XSRF-TOKEN=fh3H.....OCeeVnPev3KgsM..............YOzev2Xzv2Hl6L9cemgIFeMicNfqIj...........482SywxrHOV4ppHbv; secure;Path=/
< vary: Accept-Encoding
< x-frame-options: sameorigin
<
* Connection #0 to host api-xxxxx.xdr.eu.paloaltonetworks.com left intact
{"reply": {"status": "SUCCESS", "number_of_results": 0, "query_cost": {"1088703292": 0.0007808333333333334}, "remaining_quota": 7.499219166666666, "results": {"data": []}}}* Closing connection 0
  • 4141 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!