Coralogix provides an Elastic API that allows you to query your hosted Elasticsearch instances securely and with ease.
Notes:
In order to use the Elasticsearch API it is necessary to:
STEP 1. Add a Coralogix token with each HTTP request. This key is found under: Data Flow > API Keys > Logs Query Key.
STEP 2. Use the Elasticsearch API endpoint for your Team per the following table:
Cluster your team URL | Elasticsearch-api |
EU coralogix.com | https://coralogix-esapi.coralogix.com:9443 |
IN app.coralogix.in | https://es-api.app.coralogix.in:9443 |
US app.coralogix.us | https://esapi.coralogix.us:9443 |
EU2 app.eu2.coralogix.com | https://es-api.eu2.coralogix.com:9443 |
SG app.coralogixsg.com | https://es-api.coralogixsg.com:9443 |
STEP 3. The Index is a variable in the in the Endpoint. You can put there for example the name of the log2metrics index (*:*_log_metrics*) if you are querying Log2metrics index, or (*) if you are querying the regular index.
The API request should contain the following:
Examples:
curl -H 'token:Logs Query Key' -H "Content-type: application/json" -d '{
"query": {
"bool": {
"must":
[
{
"term": {
"coralogix.metadata.applicationName": "PROD"
}
},
{
"range": {
"coralogix.timestamp": {
"gte": "now-15m",
"lt": "now"
}
}
}
]
}
},
"aggs": {
"severities": {
"terms": {
"field": "coralogix.metadata.severity"
}
}
}
}'
curl -H 'token:Logs Query Key' -H "Content-type: application/json" -d '{
"query": {
"bool": {
"must":
[
{
"match": {
"text": "created"
}
},
{
"range": {
"coralogix.timestamp": {
"gte": "now-15m",
"lt": "now"
}
}
}
]
}
}
}'
curl -H 'token:Logs Query Key' -H "Content-type: application/json" -d '{
"query": {
"bool": {
"filter":[{
"query_string": {
"query": "YOUR QUERY"
}
},
{
"range": {
"coralogix.timestamp": {
"gte": "2019-10-23T14:00:00",
"time_zone": "+03:00"
}
}
}
]
}
}
}'
The initial scroll API request should contain the following:
curl -H 'token:Logs Query Key' -H "Content-type: application/json" -d '{
"size": 1000,
"query": {
"bool": {
"filter": [{
"query_string": {
"query": "YOUR QUERY"
}
},
{
"range": {
"coralogix.timestamp": {
"gte": "now-24h",
"lt": "now"
}
}
}
]
}
}
}'
You will receive the first batch of logs along with a new field in the root of the response named _scroll_id.
That same scroll_id should be used in subsequent requests to create the pagination, and obtain the next log batch. You should repeat the second request until all logs are retrieved.
Second and subsequent scroll API requests, should contain the following:
Example #1:
curl -H 'token:Logs Query Key' -H "Content-type: application/json" -d '{
"scroll": "5m",
"scroll_id": "YOUR_SCROLL_ID"
}'
Example #2:
curl --location --request POST 'https://esapi.coralogix.us:9443/_search/scroll/' \
--header 'token: Logs Query Key' \
--header 'Content-Type: application/json' \
--data-raw '{
"scroll": "5m",
"scroll_id": "YOUR_SCROLL_ID"
}'
The last log page retrieved will show and empty array at the bottom of the page:
"hits": []
This indicates that there are no more log pages to retrieve.
curl –location –request POST ‘https://coralogix-esapi.coralogix.com:9443/*/_msearch’ \
–header ‘token: Logs Query Key’ \
–header ‘Content-Type: application/json’ \
–header ‘Content-Type: application/x-ndjson’ \
–data-raw ‘{“index”:”*”}
{“query”:{“bool”:{“filter”:[{“match_phrase”:{“coralogix.metadata.applicationName”:{“query”:”coralogix”}}},{“match_phrase”:{“coralogix.metadata.subsystemName”:{“query”:”coralogix”}}},{“range”:{“coralogix.timestampsdsd”:{“gte”:”now-2h”,”lte”:”now”}}}]}}}
{“index”:”*”}
{“query”:{“bool”:{“filter”:[{“match_phrase”:{“coralogix.metadata.applicationName”:{“query”:”coralogix”}}},{“match_phrase”:{“coralogix.metadata.subsystemName”:{“query”:”coralogix”}}},{“range”:{“coralogix.timestampsdsd”:{“gte”:”now-4h”,”lte”:”now-2h”}}}]}}}’
Every query should be in online format and start with {“index”:”*”}
The Coralogix Elastic API provides the capabilities of the Elasticsearch API with the following limitations:
Coralogix uses OpenSearch. OpenSearch is a fork of open source Elasticsearch 7.10. As such, it provides backwards REST APIs for ingest, search, and management. The query syntax and responses are also the same.
OpenSearch can use indices from Elasticsearch versions 6.0 up to 7.10. Our Elasticsearch API, which supports REST API, calls for backward compatibility from versions 6.0 to 7.10 of Elasticsearch. Find more information here.
Need help?
Our world-class customer success team is available 24/7 to walk you through your setup and answer any questions that may come up.
Feel free to reach out to us via our in-app chat or by sending us an email at [email protected].