SPQL API functionality

Prev Next

SPQL queries can be executed via the Silent Push API’s Xperimental Scandata Search endpoint. This article explains how to structure API calls. Refer to SPQL Syntax Rules for query construction and SPQL Query Examples for sample queries.

API Endpoint

  • URL: https://api.silentpush.com/api/v1/merge-api/explore/scandata/search/raw

  • Method: POST

Note: SPQL is not supported in the Silent Push UI Query Builder; use tools like curl or Postman.

Request Structure

  • Body: JSON object with:

    • query: SPQL query string (JSON-encoded, escape double quotes).

    • fields (optional): List of field names to return (e.g., ["domain", "ip"]). If omitted, all fields are returned. See Understand Field Names.

    • sort (optional): List of fields and sort order (e.g., ["domain/asc", "scan_date/desc"]). Defaults to ["scan_date/desc", "domain/asc"] if omitted.

URL Parameters

  • limit=<n>: Maximum results (e.g., 100).

  • skip=<n>: Results to skip (e.g., 0).

  • with_metadata=1: Returns metadata, including a job_id to recall results for 30 days.

Recall Results

Use job_id at https://api.silentpush.com/api/v1/merge-api/explore/job/<job_id>.

Example 1: Query for DDoS with all fields

curl -ks -X POST -H 'content-type:application/json' -H 'x-api-key:<api_key>' \
  'https://api.silentpush.com/api/v1/merge-api/explore/scandata/search/raw?limit=100' \
  -d '{"query": "htmltitle = \"DDoS* not configured\" AND response > 200 AND header.server = ddos*"}'

Example 2: Query with specific fields

curl -ks -X POST -H 'content-type:application/json' -H 'x-api-key:<api_key>' \
  'https://api.silentpush.com/api/v1/merge-api/explore/scandata/search/raw?limit=100' \
  -d '{"query": "htmltitle = \"DDoS* not configured\" AND response = 200 AND header.server = ddos*", "fields": ["domain", "scan_date", "ip", "htmltitle"]}'

Example 3: Regular expression query with nested sorting

curl -ks -X POST -H 'content-type:application/json' -H 'x-api-key:<api_key>' \
  'https://api.silentpush.com/api/v1/merge-api/explore/scandata/search/raw?limit=100' \
  -d '{"query": "scan_date > now-30d AND ssl.sans ~= /^silent[a-z].+\\.io$/ AND domain !~= /silent.*/ AND domain ~= /.+/ AND ip = [13.249.0.0/16, 52.84.0.0/16]", "sort": ["domain/asc", "hostname/asc", "scan_date/desc"]}'

Note: Use SPQL Command Line Utility as an alternative to direct API calls. Ensure proper JSON encoding for regular expressions (double-backslash for literal \).