Solved: Re: Stealtwatch SMC: REST API Invalid JSON error

mofnoc · ‎02-12-2026

Hello Team

When I doing POST(PowerShell), SMC returns an error:

{
"errors" : [ {
"code" : 5060,
"message" : "The Request received is invalid"
}, "Invalid JSON." ]
}

This is a part of PowerShell script I use:

# JSON query body
$body = '{
"startDateTime": "2026-02-10T08:00:00Z",
"endDateTime": "2026-02-10T08:05:00Z",
"recordLimit": 10,
"subject": {
"orientation": "CLIENT",
"ipAddresses": {
"includes": ["192.168.0", "10.20"]
}
},
"peer": {
"ipAddresses": {
"includes": ["192.168.0", "10.20"]
},
},
"flow": {
"tcpUdpPorts": {
"includes": ["80-9000/tcp", "67-68/udp"]
},
"flowDirection": "BIDIRECTIONAL",
}'

# POST query
curl.exe -k -X POST "https://{smc-address}/sw-reporting/v2/tenants/{tenant-id}/flows/queries" `
-H "Cookie: stealthwatch.jwt=$JWT" `
-H "X-XSRF-TOKEN: $XSRF_TOKEN" `
-H "Content-Type: application/json" `
-d $body

Tenant ID and tags(name,ID) extracted successfully

Everything I do is according to that documentation:
https://developer.cisco.com/docs/stealthwatch/enterprise/reporting-api-version-2/

Maybe I miss something in my json
Stealthwatch version is 7.5.3

mofnoc · ‎02-18-2026

Hello Jesus

I tried that with coma and without coma - the same result.
Checked my query with jsonlint, it was green.
Pasted that query after -d flag and nothing changed, same error

curl.exe -k -X POST "https://{scm-address}/sw-reporting/v2/tenants/{tenant-id}/flows/queries" `
    -H "Cookie: stealthwatch.jwt=$JWT" `
    -H "X-XSRF-TOKEN: $XSRF_TOKEN" `
    -H "Content-Type: application/json" `
    -d '{
  "startDateTime": "2026-02-18T08:00:00Z",
  "endDateTime": "2026-02-18T08:36:00Z",
  "recordLimit": 50
}'

I executed that script from Linux (converted to bash), and it works as expected

curl -k -X POST "https://{scm-address}/sw-reporting/v2/tenants/{tenant-id}/flows/queries" \
  -H "Cookie: stealthwatch.jwt=$JWT" \
  -H "X-XSRF-TOKEN: $XSRF_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
  "startDateTime": "2026-02-18T08:00:00Z",
  "endDateTime": "2026-02-18T08:36:00Z",
  "recordLimit": 50
}'

For now I choose to use Linux for that task, so that topic is no more actual for me.
I discussed that problem with my Windows admin colegue, and he also can't help with that.
We think PowerShell somehow implicitly changing json query, and SMC can't understand it
Thank you

View solution in original post

Jesus Illescas · ‎02-13-2026

I don't know stealthwatch but since the error is about invalid json, I checked on vscode json linter and I see an error on the comma after "BIDIRECTIONAL"

"flowDirection": "BIDIRECTIONAL", <--- This comma at the end

From experience in json, you only need a comma if you have multiple elements in a list/object. Remove the comma and try again.

mofnoc · ‎02-16-2026

It wasn't help, the same error.
I even simplified query, but have the same issue+

# JSON query body
$body = @{
    "startDateTime" = "2026-02-01T08:00:00Z"
    "endDateTime"   = "2026-02-10T08:50:00Z"
}

$jsonBody = $body | ConvertTo-Json -Compress

# POST query
curl.exe -k -X POST "https://{scm-address}/sw-reporting/v2/tenants/{tenant-id}/flows/queries" `
    -H "Cookie: stealthwatch.jwt=$JWT" `
    -H "X-XSRF-TOKEN: $XSRF_TOKEN" `
    -H "Content-Type: application/json" `
    -d $jsonBody

Jesus Illescas · ‎02-18-2026

Hi @mofnoc

what if you try:

$body = @{
    "startDateTime" = "2026-02-01T08:00:00Z",
    "endDateTime"   = "2026-02-10T08:50:00Z"
}

I added a comma, given you have two elements. I suggest to use a json linter to discard errors due to missing something.

I use vscode, but there are also online tools like https://jsonlint.com/ just make sure you don't put any sensitive data online.

If the linter gives you a green light, then I would discard for now the variables and put directly the json plaintext into the -d flag of curl

mofnoc · ‎02-18-2026

Hello Jesus

I tried that with coma and without coma - the same result.
Checked my query with jsonlint, it was green.
Pasted that query after -d flag and nothing changed, same error

curl.exe -k -X POST "https://{scm-address}/sw-reporting/v2/tenants/{tenant-id}/flows/queries" `
    -H "Cookie: stealthwatch.jwt=$JWT" `
    -H "X-XSRF-TOKEN: $XSRF_TOKEN" `
    -H "Content-Type: application/json" `
    -d '{
  "startDateTime": "2026-02-18T08:00:00Z",
  "endDateTime": "2026-02-18T08:36:00Z",
  "recordLimit": 50
}'

I executed that script from Linux (converted to bash), and it works as expected

curl -k -X POST "https://{scm-address}/sw-reporting/v2/tenants/{tenant-id}/flows/queries" \
  -H "Cookie: stealthwatch.jwt=$JWT" \
  -H "X-XSRF-TOKEN: $XSRF_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
  "startDateTime": "2026-02-18T08:00:00Z",
  "endDateTime": "2026-02-18T08:36:00Z",
  "recordLimit": 50
}'

For now I choose to use Linux for that task, so that topic is no more actual for me.
I discussed that problem with my Windows admin colegue, and he also can't help with that.
We think PowerShell somehow implicitly changing json query, and SMC can't understand it
Thank you

Jesus Illescas · ‎02-18-2026

Thanks for sharing what worked for you @mofnoc I'm not a windows user so this is strange to see. I will mark your last comment as the solution.