Skip to content

JSON Deserialization Error for filesUsed Field in ngsiem.GetSearchStatusV1 #545

New issue
New issue
Open
Open
JSON Deserialization Error for filesUsed Field in ngsiem.GetSearchStatusV1#545
@dweissbacher

Description

@dweissbacher
dweissbacher
opened on Oct 14, 2025

Description

When using ngsiem.GetSearchStatusV1() to retrieve results from a LogScale query that uses readfile() and match(file=...) functions, the SDK fails to deserialize the response due to a type mismatch in the filesUsed field.

Error Message

json: cannot unmarshal object into Go struct field APIQueryJobsResults.filesUsed of type string

Expected Behavior

The filesUsed field should be properly deserialized as an array of objects containing file metadata.

Actual Behavior

The SDK expects filesUsed to be a string, but the API returns it as an array of objects with the following structure:

"filesUsed": [
  {
    "contentHash": "F-tIGc6mzjzkEv-g5BLh1_32J8v-yHuc1ew39Ppvm99",
    "modifiedTimestamp": 1760447020737,
    "name": "aid_master_main.csv",
    "queryToRead": "readFile(...)"
  },
  {
    "contentHash": "06r5nlrhhr0cAi35gnADbxdhqaeGrc29k6N986Mioy6",
    "modifiedTimestamp": 0,
    "name": "falcon/helper/sensors_support_info.csv",
    "queryToRead": "readFile(...)"
  }
]

Steps to Reproduce

  1. Create a LogScale query that uses readfile() and match(file=...):
queryString := `readfile("aid_master_main.csv") 
| test(Time > start())
| test(Time < end())
| match(file="aid_master_details.csv", field=aid, include=[HostHiddenStatus], strict=false)
| match(file="falcon/helper/sensors_support_info.csv", field=KEY, strict=false)
| table([ComputerName, SUPPORT_ENDS])`
  1. Start the search query:
startParams := ngsiem.NewStartSearchV1Params()
startParams.SetContext(ctx)
startParams.SetRepository("search-all")
startParams.SetBody(&models.APIQueryJobInput{
    QueryString: &queryString,
    Start:       "24hours",
    End:         "now",
})

startResp, err := falconClient.Ngsiem.StartSearchV1(startParams)
queryJobID := *startResp.Payload.ID
  1. Retrieve the search results:
getParams := ngsiem.NewGetSearchStatusV1Params()
getParams.SetContext(ctx)
getParams.SetRepository("search-all")
getParams.SetID(queryJobID)

getResp, err := falconClient.Ngsiem.GetSearchStatusV1(getParams)
// Error occurs here during JSON deserialization

Environment

  • gofalcon version: v0.16.0
  • Go version: 1.25

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions