Brian
Joining the Conversation
Joining the ConversationEvents Filtering
Good day,
I had been trying to use the catocli to pull events based on destination IP addresses and it only return 1 event, while I can see multiple matching events within the same time frame in CATO portal.
I wonder if anyone had come across similar problem and had found a solution to it
json query
{
"eventsDimension": [
{
"fieldName": "dest_ip"
}
],
"eventsFilter": [
{
"fieldName": "dest_ip",
"operator": "is",
"values": "5******8"
}
],
"eventsMeasure": [
{
"aggType": "any",
"fieldName": "action"
},
{
"aggType": "any",
"fieldName": "src_ip"
},
{
"aggType": "any",
"fieldName": "src_port"
},
{
"aggType": "any",
"fieldName": "subnet_name"
},
{
"aggType": "any",
"fieldName": "dest_ip"
},
{
"aggType": "any",
"fieldName": "dest_port"
}
],
"eventsSort": [
{
"fieldName": "action",
"order": "asc"
}
],
"timeFrame": "last.P14D"
}catocli command
catocli query eventsFeed "json input from variable column"Response
{
"data": {
"events": {
"from": "2025-12-09T09:00:00Z",
"id": "*******",
"records": [
{
"fieldsMap": {
"action": "Monitor",
"dest_ip": "************",
"dest_port": "****",
"src_ip": "*******",
"src_port": "*****",
"subnet_name": "**********"
},
"fieldsUnitTypes": [
"none",
"none",
"none",
"none",
"none",
"none"
],
"flatFields": [
[
"action",
"Monitor"
],
[
"dest_ip",
"****************"
],
[
"dest_port",
"************"
],
[
"src_ip",
"**************"
],
[
"src_port",
"***********"
],
[
"subnet_name",
"***************"
]
],
"prevTimeFrame": null,
"trends": null
}
],
"to": "2025-12-23T10:00:00Z",
"total": 1,
"totals": {
"action": "********",
"dest_ip": *****,
"dest_port": *****,
"src_ip": "********",
"src_port": ****,
"subnet_name": "***********"
}
}
}
}
If anyone have any ideas, do kindly share. Thanks vm.
