HTTP

Subscribe
Download 13
Last updated Feb 20, 2026

User Guide

The HTTP app provides ConnectProfile-based REST API query commands. It supports various authentication types (Bearer, Basic, None), all HTTP methods including PATCH, and multiline streaming output for large responses.

Commands

Driver CommandBatch CommandMethodBody
http-gethttp-get-batchGETX
http-posthttp-post-batchPOSTO
http-puthttp-put-batchPUTO
http-patchhttp-patch-batchPATCHO
http-deletehttp-delete-batchDELETEO
http-head-HEADX
http-options-OPTIONSX
  • Driver commands: Start of a query pipeline. Specify URL or path directly to send a single request.
  • Batch commands: Middle of a pipeline. Send a request per input row using url or path field from each row.

Driver Command Usage

http-get [profile=PROFILE] [url=URL] [path=PATH] [timeout=NUM] [encoding=CHARSET] [resp-header-field=FIELD] [brex=REGEX] [erex=REGEX]
  • profile: Connect profile name
  • url: Full request URL (required when profile is not specified)
  • path: Relative path from endpoint (used with profile)
  • timeout: HTTP timeout in seconds (default: 30)
  • encoding: Character encoding (default: utf-8)
  • resp-header-field: Output field name for response headers (omitted by default)
  • brex: Regular expression for recognizing the first line of a multiline entry. Available for GET, POST, PUT, PATCH, DELETE.
  • erex: Regular expression for recognizing the last line of a multiline entry. Available for GET, POST, PUT, PATCH, DELETE.

For POST, PUT, PATCH, DELETE, additional options:

  • format: Request body format: json, form, xml, plain (default: json)
  • body: Request body string

Batch Command Usage

... | http-get-batch [profile=PROFILE] [header=FIELD] [timeout=NUM] [encoding=CHARSET] [resp-header-field=FIELD]
  • profile: Connect profile name. If not specified, each input row must have a url field.
  • header: Field name containing an extra headers map
  • timeout: HTTP timeout in seconds (default: 30)
  • encoding: Character encoding (default: utf-8)
  • resp-header-field: Output field name for response headers (omitted by default)

For POST, PUT, PATCH, DELETE batch commands, additional options:

  • format: Request body format: json, form, xml, plain (default: json)
  • body: Field name containing the request body. If omitted, the body is automatically assembled from input row fields (excluding url, path, and header fields) according to the specified format.

Batch URL Resolution

  • With profile: reads path field from input row, appends to profile's endpoint
  • Without profile: reads url field from input row as the full URL

Multiline Streaming (brex/erex)

Use brex (begin regex) and/or erex (end regex) on driver commands to split a large HTTP response into multiline entries without loading the entire body into memory. This is useful for NDJSON, CSV, or log responses.

http-get profile=myapi path=/logs/export brex="^\\d{4}-\\d{2}-\\d{2}"
| fields line

Examples

Query a public API without profile

http-get url=https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
| parsejson

GET with query parameters

Get Address Groups | Logpresso Sonar REST API Reference

http-get profile=myapi path="/api/sonar/address-groups?limit=5"
| parsejson

POST with form body

Create Address Group | Logpresso Sonar REST API Reference

http-post profile=myapi path=/api/sonar/address-groups format=form body="name=TestGroup&description=My+group"
| parsejson

PUT update

Update Address Group | Logpresso Sonar REST API Reference

http-put profile=myapi path=/api/sonar/address-groups/{guid} format=form body="name=UpdatedName&description=Updated"
| parsejson

DELETE with query parameters

Remove Address Groups | Logpresso Sonar REST API Reference

http-delete profile=myapi path="/api/sonar/address-groups?guids={guid}"
| parsejson

Batch POST - bulk create (auto body)

Create Address Object | Logpresso Sonar REST API Reference

When body option is omitted, request body is auto-assembled from input row fields.

json "{}" | repeat count=10
| eval address = format("10.0.0.%d", seq())
| eval description = "batch"
| eval path = "/api/sonar/address-groups/{guid}/addresses"
| http-post-batch profile=myapi format=form
| parsejson

Batch POST - explicit body

You can also specify a body field explicitly.

json "{}" | repeat count=10
| eval ip = format("10.0.0.%d", seq())
| eval body_data = concat("{\"address\":\"", ip, "\",\"description\":\"batch\"}")
| eval path = "/api/sonar/address-groups/{guid}/addresses"
| http-post-batch profile=myapi body=body_data
| parsejson

Batch DELETE - bulk remove

Remove Address Objects | Logpresso Sonar REST API Reference

json "{}" | repeat count=10
| eval ip = format("10.0.0.%d", seq())
| eval path = concat("/api/sonar/address-groups/{guid}/addresses?addresses=", ip)
| http-delete-batch profile=myapi
| parsejson

Stream large NDJSON response

http-post profile=elastic path=/_search?scroll=1m erex="\n"
| parsejson