Cisco
Login
Search
Software Secure Workload
Activity Configure

Secure Workload OpenAPIs Workspaces and Security Policies Conversations Top N Conversations in a Policy Discovery Run

Last updated: Jun 09, 2025

Top N Conversations in a Policy Discovery Run

This endpoint enables you to search the top conversations for an automatic policy discovery that is run for a given workspace based on a metric and grouped by a dimension. The current supported metrics are here and the current supported group by dimensions are here you can query for a subset of conversations using filters on supported dimensions and metrics. For example, you can search for the source IP address with the most byte traffic conversations using a query with the src_ip dimension with the byte_count metric.

POST /openapi/v1/conversations/{application_id}/topn

The query consists of a JSON body with the following keys.

Name

Type

Description

version

integer

Version of the automatic policy discovery run

dimension

string

The dimension for the conversations to be grouped by for the top N query.

Supported dimensions: src_ip, dst_ip

metric

string

The metric to be sorted by for the top N conversations. The list of supported metrics can be found here .

filter

JSON

(optional) Query filter. If filter is empty (i.e. {}), then query matches all the conversations. More specific conversations can be downloaded using filters on supported dimensions and metrics. For the syntax on filters, see filters .

threshold

integer

Number of top N results to be returned in a single API response.

The body of the request should be a JSON-formatted query. An example of a query body is shown below.


    {
        "version": 1,
        "dimension": "src_ip",
        "metric": "byte_count",
        "filter": {
            "type": "and",
            "filters":[
                {
                    "type": "eq",
                    "field": "excluded",
                    "value": False
                },
                {
                    "type": "eq",
                    "field": "protocol",
                    "value": "TCP"
                },
            ]
        },
        "threshold" : 10
    }

Response

The response is a JSON object in the body with the following properties.

Keys

Values

results

List with one JSON object with a results key and a value of a list of results objects with keys matching the query dimension and metric.

 

  [ {"result": [
    {
      "byte_count": 1795195565,
      "src_ip": "192.168.1.6"
    },
    {
      "byte_count": 1781002379,
      "src_ip": "192.168.1.28"
    },
    ...
  ] } ]



    req_payload = {"version": 1, "dimension": "src_ip", "metric": "byte_count",
      "filter": {"type": "and",
        "filters": [
          {"type": "eq", "field": "excluded", "value": False},
          {"type": "eq", "field": "protocol", "value": "TCP"},
          {"type": "eq", "field": "consumer_filter_id", "value": "16b12a5614c5af5b68afa7ce"},
          {"type": "subnet", "field": "src_ip", "value": "192.168.1.0/24"}
        ]
      },
      "threshold" : 10
    }

    resp = restclient.post('/conversations/{application_id}/topn', json_body=json.dumps(req_payload))
    print resp.status_code
    if resp.status_code == 200:
        parsed_resp = json.loads(resp.content)
        print json.dumps(parsed_resp, indent=4, sort_keys=True)
Previous topic Search Conversations in a Policy Discovery Run Next topic Supported Dimensions