Elastic API

Coralogix provides an Elastic API that allows you to query your hosted Elasticsearch instances securely and with ease. 

In order to use ElasticSearch API, you must add a Coralogix token (Settings –> Account –> API Access –> Logs Query Key) with each HTTP call.

 .com.us.in
Elasticsearch-APIhttps://coralogix-esapi.coralogix.com:9443https://esapi.coralogix.us:9443https://es-api.app.coralogix.in:9443
SSL Certificateshttps://coralogix-public.s3-eu-west-1.amazonaws.com/certificate/Coralogix-EU.crthttps://www.amazontrust.com/repository/AmazonRootCA1.pemhttps://coralogix-public.s3-eu-west-1.amazonaws.com/certificate/Coralogix-IN
.pem
Cluster URLcoralogix.comcoralogix.usapp.coralogix.in

How to query your Coralogix elastic API: 

The Index in the Endpoint  is a variable. You can put there the name of  log2metrics index  (*:*_log_metrics*) if you are querying Log2metrics index or (*) if you are querying the regular index.

curl -H 'token:YOUR LOGS API KEY' -H "Content-type: application/json" -d '{
    "query": {
        "bool": {
            "must":
            [
                {
                    "term": {
                        "coralogix.metadata.applicationName": "PROD"
                    }
                },
                {
                    "range": {
                        "coralogix.timestamp": {
                            "gte": "now-15m",
                            "lt": "now"
                        }
                    }
                }
            ]
        }
    },
    "aggs": {
        "severities": {
            "terms": {
                "field": "coralogix.metadata.severity"
            }
        }
    }
}' 'Elasticsearch-api/Index/_search'

curl -H 'token:Logs Query Key' -H "Content-type: application/json" -d '{
    "query": {
        "bool": {
            "must":
            [
        {
            "match": {
                "text": "created"
            }
        },
                {
            "range": {
                "coralogix.timestamp": {
                    "gte": "now-15m", 
                    "lt": "now"
                    }
                }
             }
            ]
        }
    }
}' 'Elasticsearch-api/Index/_search'

curl -H 'token:Logs Query Key' -H "Content-type: application/json" -d '{
    "query": {
        "bool": {
            "filter":[{
                "query_string": {
                    "query": "YOUR QUERY"
                }
             },
                {
            "range": {
                "coralogix.timestamp": {
                    "gte": "2019-10-23T14:00:00",
                    "time_zone": "+03:00"
                }
            }
                }
            ]
        }
    }
}' 'Elasticsearch-api/Index/_search'

How to use scroll API:

curl -H 'token:Logs Query Key' -H "Content-type: application/json" -d '{
	"size": 1000,
	"query": {
		"bool": {
			"filter": [{
					"query_string": {
						"query": "YOUR QUERY"
					}
				},
				{
					"range": {
						"coralogix.timestamp": {
							"gte": "now-24h",
							"lt": "now"
						}
					}
				}
			]
		}
	}
}' 'Elasticsearch-api/Index/_search?scroll=5m'

You will receive the first batch of the logs along with a new field in the root of the response named _scroll_id. That scroll_id should be used in the following requests to create the pagination and get the next log batches. You should repeat the second request until all logs are retrieved.

curl -H 'token:Logs Query Key' -H "Content-type: application/json" -d '{

    "scroll": "5m",
    "scroll_id": "YOUR_SCROLL_ID"

}' '​Elasticsearch-api/_search/scroll'​

The Coralogix Elastic API provides the capabilities of the Elasticsearch API with the following limitations:

  • Supports only POST requests
  • supported top-level elements of the Search API: query, from, size, sort, _source, post_filter, aggsaggregations
  • The sum of the top-level elements ‘from’ and ‘size’ cannot be greater than 12000
  • allow_leading_wildcard element in query_string query is not allowed.
  • Wildcard queries can’t start with ‘*’ or ‘?’
  • Regex queries can’t start with ‘.*’ or ‘.?’
  • max_determinized_states element inside regex queries is not allowed.
  • Size element for bucket aggregations cannot be greater than 1200.
  • The bucket aggregation of the type significant_terms is not allowed.
  • Nesting of the following bucket aggregations 3 or more times is not allowed: date_histogram, geohash_grid, histogram, ip_ranges, and terms.
  • fuzzy_max_expansions element in query_string query is not allowed.
  • Max_expansions element in a fuzzy query is not allowed.
  • When specifying the URL query param ’scroll’ it can not be greater than 6m.
  • To retrieve the accurate number of hits of your query add to your request: “track_total_hits”:true
  • If you are running ES-API requests with scripts note that there is a 160 requests limit per 30 seconds.

When using the Scroll API _search/scroll

  • supported top-level elements of the Scroll API: size, scroll, scroll_id
  • scroll element cannot be greater than 6m
  • size element cannot be greater than 12000

Elastic API query tutorials: 

1) Search API tutorial

2) Aggregations API tutorial