Prefix all commands with

https://10.1.1.1/api/?key=API_KEY

• traffic - Traffic logs
• threat - Threat logs
• config - Config logs
• system - System logs
• hipmatch - GlobalProtect Host Information Profile (HIP) matching logs
• wildfire - WildFire logs
• url - URL filtering logs
• data - Data filtering logs
• corr - Correlated event logs as seen in the user interface within MonitorAutomated Correlated EngineCorrelated Events.
• corr-detail - Correlated event details as seen in the user interface when you select an event within Monitor > Automated Correlated Engine > Correlated Events.
• corr-categ - Correlated events by category, currently compromised hosts seen within ACCThreat ActivityCompromised Hosts.
• userid - User-ID logs
• auth - Authentication logs
• gtp - GPRS Tunneling Protocol (GTP) logs
• external - External logs
• iptag - IP tag logs

• query - Specify the match criteria for the logs. This is similar to the query provided in the web interface under the Monitor tab when viewing the logs. The query must be URL encoded.
• nlogs - Specify the number of logs to retrieve. The default is 20 when the parameter is not specified. The maximum is 5000.
• skip - Specify the number of logs to skip when doing a log retrieval. The default is 0. This is useful when retrieving logs in batches where you can skip the previously retrieved logs.
• dir - Specify whether logs are shown oldest first (forward) or newest first (backward). Default is backward.

This query is against traffic with query ( addr.src in 10.1.1.1 ) and ( app eq ntp ) and ( receive_time geq '2019/05/16 09:21:57' )

https://10.1.1.1/api/?type=log&key=API_KEY&log-type=traffic&query=%28%20addr.src%20in%2010.1.1.1%20%29%20and%20%28%20app%20eq%20ntp%20%29%20and%20%28%20receive_time%20geq%20"2019/05/16%2009:21:57"%20%29"

&type=log&action=get&job-id=1234

&type=log&action=finish&job-id=1234