Palo Alto Networks · JSON Structure

Sase Aggregate Monitoring Api Aggregation Query Structure

AggregationQuery schema from Palo Alto Networks SASE Aggregate Monitoring API

Type: object Properties: 7 Required: 1
Cloud SecurityCybersecurityFirewallNetwork SecuritySASESOARThreat IntelligenceXDR

AggregationQuery is a JSON Structure definition published by Palo Alto Networks, describing 7 properties, of which 1 is required. It conforms to the https://json-structure.org/meta/core/v0/# meta-schema.

Properties

tsg_id filter time_range count histogram group_by sort

Meta-schema: https://json-structure.org/meta/core/v0/#

JSON Structure

Raw ↑ 
{
  "$schema": "https://json-structure.org/meta/core/v0/#",
  "$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/sase-aggregate-monitoring-api-aggregation-query-structure.json",
  "name": "AggregationQuery",
  "description": "AggregationQuery schema from Palo Alto Networks SASE Aggregate Monitoring API",
  "type": "object",
  "properties": {
    "tsg_id": {
      "type": "string",
      "description": "Tenant Service Group ID to scope the query. Data from all descendant TSGs within this scope is included."
    },
    "filter": {
      "type": "object",
      "description": "Key-value filter conditions to apply to the query. Filter keys are data-type specific (e.g., severity, category, app_name).",
      "additionalProperties": {
        "type": "string"
      }
    },
    "time_range": {
      "type": "object",
      "description": "Time range for the query.",
      "properties": {
        "start": {
          "type": "datetime",
          "description": "Query start time (ISO 8601)."
        },
        "end": {
          "type": "datetime",
          "description": "Query end time (ISO 8601). Defaults to current time."
        },
        "last": {
          "type": "string",
          "description": "Relative time range shorthand (e.g., 1h, 24h, 7d, 30d). Mutually exclusive with start/end."
        }
      }
    },
    "count": {
      "type": "int32",
      "description": "Maximum number of result rows to return.",
      "maximum": 1000,
      "default": 100
    },
    "histogram": {
      "type": "object",
      "description": "Configuration for time-series histogram output. When specified, results are bucketed by time.",
      "properties": {
        "field": {
          "type": "string",
          "description": "Timestamp field to use for bucketing."
        },
        "interval": {
          "type": "string",
          "description": "Time bucket interval.",
          "enum": [
            "1m",
            "5m",
            "15m",
            "1h",
            "6h",
            "1d"
          ]
        }
      }
    },
    "group_by": {
      "type": "array",
      "description": "Dimension fields to group results by. Supported values are data-type specific.",
      "items": {
        "type": "string"
      }
    },
    "sort": {
      "type": "array",
      "description": "Sort order for results.",
      "items": {
        "type": "object",
        "properties": {
          "field": {
            "type": "string",
            "description": "Field name to sort by."
          },
          "order": {
            "type": "string",
            "enum": [
              "asc",
              "desc"
            ],
            "default": "desc"
          }
        }
      }
    }
  },
  "required": [
    "tsg_id"
  ]
}