Create Fabric Log Search Task

Create Fabric Log Search Task#

Submit a distributed log search across Fabric of FortiAnalyzer (Supervisor + Members).

✅ All code examples tested: Verified against FortiAnalyzer v7.4.8, v7.6.4, v8.0.0.

Overview#

This endpoint creates distributed log searches across Fabric of FortiAnalyzer deployments - useful for:

  • Searching logs across multiple FortiAnalyzer units simultaneously

  • Distributed SIEM environments with Supervisor-Member topology

  • Large-scale enterprise log analysis

  • Multi-site distributed deployments

Two-Step Pattern: Submit task → Receive TID → Fetch results

Endpoint Details#

Method: POST URL: /jsonrpc API Path (Step 1): /soc-fabric/logsearch/ API Path (Step 2): /soc-fabric/logsearch/{taskID} ADOM Support: Yes Requires Authentication: Yes Minimum Version: 7.4.0

Step 1: Submit Search Task#

{
    "method": "add",
    "params": [{
        "url": "/soc-fabric/logsearch/",
        "apiver": 3,
        "case-sensitive": false,
        "filter": "srcip=\"10.0.200.253\" dstip=\"140.82.121.5\"",
        "logtype": "traffic",
        "time-order": "desc",
        "time-range": {
            "start": "2025-11-10 00:00",
            "end": "2025-11-10 23:59"
        },
        "limit": 100,
        "devtype": "FortiGate",
        "members": []
    }],
    "session": "{{session_id}}",
    "id": 1
}

{
    "result": [{
        "data": {
            "tid": 12470
        },
        "status": {
            "code": 0,
            "message": "OK"
        }
    }]
}

Step 2: Fetch Results by Task ID#

See Fetch Fabric Log Search Results for detailed polling and retrieval.

Complete Python Example#

import requests
import urllib3
import time

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def create_fabric_search(session_id, filter_expr, start_time, end_time, logtype="traffic"):
    """Create distributed fabric log search"""
    url = "https://faz.example.com/jsonrpc"

    payload = {
        "method": "add",
        "params": [{
            "url": "/soc-fabric/logsearch/",
            "apiver": 3,
            "case-sensitive": False,
            "filter": filter_expr,
            "logtype": logtype,
            "time-order": "desc",
            "time-range": {
                "start": start_time,
                "end": end_time
            },
            "limit": 100,
            "devtype": "FortiGate",
            "members": []  # Empty = all fabric members
        }],
        "session": session_id,
        "id": 1
    }

    response = requests.post(url, json=payload, verify=False)
    result = response.json()

    if result['result'][0]['status']['code'] == 0:
        tid = result['result'][0]['data']['tid']
        print(f"✓ Fabric search created. TID: {tid}")
        return tid
    else:
        raise Exception(f"API error: {result['result'][0]['status']['message']}")

# Example
tid = create_fabric_search(
    session_id="your_session_id",
    filter_expr='srcip="10.0.200.253" dstip="140.82.121.5"',
    start_time="2025-11-10 00:00",
    end_time="2025-11-10 23:59"
)
On this page