Coralogix provides an Elastic API that allows you to query your hosted Elasticsearch instances securely and with ease.
In order to use ElasticSearch API, you must add a Coralogix token (Settings –> Account –> API Access –> Logs API Key) with each HTTP call.
How to query your Coralogix elastic API:
curl -H 'token:YOUR LOGS API KEY' -H "Content-type: application/json" -d '{
"query": {
"bool": {
"must":
[
{
"term": {
"coralogix.metadata.applicationName": "PROD"
}
},
{
"range": {
"coralogix.timestamp": {
"gte": "now-15m",
"lt": "now"
}
}
}
]
}
},
"aggs": {
"severities": {
"terms": {
"field": "coralogix.metadata.severity"
}
}
}
}' 'https://coralogix-esapi.coralogix.com:9443/*/_search'
curl -H 'token:YOUR LOGS API KEY' -H "Content-type: application/json" -d '{
"query": {
"bool": {
"must":
[
{
"match": {
"text": "created"
}
},
{
"range": {
"coralogix.timestamp": {
"gte": "now-15m",
"lt": "now"
}
}
}
]
}
}
}' 'https://coralogix-esapi.coralogix.com:9443/*/_search'
curl -H 'token:YOUR LOGS API KEY' -H "Content-type: application/json" -d '{
"query": {
"bool": {
"filter":[{
"query_string": {
"query": "YOUR QUERY"
}
},
{
"range": {
"coralogix.timestamp": {
"gte": "2019-10-23T14:00:00",
"time_zone": "+03:00"
}
}
}
]
}
}
}' 'https://coralogix-esapi.coralogix.com:9443/*/_search'
How to use scroll API:
curl -H 'token:YOUR LOGS API KEY' -H "Content-type: application/json" -d '{
"size": 1000,
"query": {
"bool": {
"filter": [{
"query_string": {
"query": "YOUR QUERY"
}
},
{
"range": {
"coralogix.timestamp": {
"gte": "now-24h",
"lt": "now"
}
}
}
]
}
}
}' 'https://coralogix-esapi.coralogix.com:9443/*/_search?scroll=5m'
You will receive the first batch of the logs along with a new field in the root of the response named _scroll_id. That scroll_id should be used in the following requests to create the pagination and get the next log batches. You should repeat the second request until all logs are retrieved.
curl -H 'token:YOUR LOGS API KEY' -H "Content-type: application/json" -d '{
"scroll": "5m",
"scroll_id": "YOUR_SCROLL_ID"
}' 'https://coralogix-esapi.coralogix.com:9443/_search/scroll'
The Coralogix Elastic API provides the capabilities of the Elasticsearch API with the following limitations:
- Supports only POST requests
- supported top-level elements of the Search API: query, from, size, sort,
_source, post_filter, aggs, aggregations - The sum of the top-level elements ‘from’ and ‘size’ cannot be greater than 12000
- allow_leading_wildcard element in query_string query is not allowed.
- Wildcard queries can’t start with ‘*’ or ‘?’
- Regex queries can’t start with ‘.*’ or ‘.?’
- max_determinized_states
element inside regex queries is not allowed. - Size element for bucket aggregations cannot be greater than 1200.
- The bucket aggregation of the type significant_terms is not allowed.
- Nesting of the following bucket aggregations 3 or more times is not allowed: date_histogram,
geohash_grid, histogram, ip_ ranges, and terms. - fuzzy_max_expansions element in query_string query is not allowed.
- Max_expansions element in a fuzzy query is not allowed.
- When specifying the URL query param ’scroll’ it can not be greater than 6m.
- To retrieve the accurate number of hits of your query add to your request: “track_total_hits”:true
- If you are running ES-API requests with scripts note that there is a 160 requests limit per 30 seconds.
When using the Scroll API _search/scroll
- supported top-level elements of the Scroll API: size, scroll, scroll_id
- scroll element cannot be greater than 6m
- size element cannot be greater than 12000
