Coralogix provides an Elastic API that allows you to query your hosted Elasticsearch instances securely and with ease.
In order to use ElasticSearch API, you must add Coralogix token with each HTTP call.
How to query your Coralogix elastic API:
curl -H 'token:YOUR COMPANY PRIVATE KEY' -H "Content-type: application/json" -d '{
"query": {
"bool": {
"must":
[
{
"term": {
"coralogix.metadata.applicationName": "PROD"
}
},
{
"range": {
"coralogix.timestamp": {
"gte": "now-15m",
"lt": "now"
}
}
}
]
}
},
"aggs": {
"severities": {
"terms": {
"field": "coralogix.metadata.severity"
}
}
}
}' 'https://coralogix-esapi.coralogix.com:9443/*/_search'
curl -H 'token:YOUR COMPANY PRIVATE KEY' -H "Content-type: application/json" -d '{
"query": {
"bool": {
"must":
[
{
"match": {
"text": "created"
}
},
{
"range": {
"coralogix.timestamp": {
"gte": "now-15m",
"lt": "now"
}
}
}
]
}
}
}' 'https://coralogix-esapi.coralogix.com:9443/*/_search'
curl -H 'token:YOUR COMPANY PRIVATE KEY' -H "Content-type: application/json" -d '{
"query": {
"bool": {
"filter":[{
"query_string": {
"query": "YOUR QUERY"
}
},
{
"range": {
"coralogix.timestamp": {
"gte": "2019-10-23T14:00:00",
"time_zone": "+03:00"
}
}
}
]
}
}
}' 'https://coralogix-esapi.coralogix.com:9443/*/_search'
How to use scroll API:
curl -H 'token:YOUR COMPANY PRIVATE KEY' -H "Content-type: application/json" -d '{
"size": 1000,
"query": {
"bool": {
"filter": [{
"query_string": {
"query": "YOUR QUERY"
}
},
{
"range": {
"coralogix.timestamp": {
"gte": "now-24h",
"lt": "now"
}
}
}
]
}
}
}' 'https://coralogix-esapi.coralogix.com:9443/*/_search?scroll=5m'
You will receive the first batch of the logs along with a new field in the root of the response named _scroll_id. That scroll_id should be used in the following requests to create the pagination and get the next log batches. You should repeat the second request until all logs are retrieved.
curl -H 'token:YOUR COMPANY PRIVATE KEY' -H "Content-type: application/json" -d '{
"scroll": "5m",
"scroll_id": "YOUR_SCROLL_ID"
}' 'https://coralogix-esapi.coralogix.com:9443/_search/scroll'
The Coralogix Elastic API provides the capabilities of the Elasticsearch API with the following limitations:
- supported top-level elements of the Search API: query, from, size, sort,
_source, post_filter, aggs, aggregations - The sum of the top-level elements ‘from’ and ‘size’ cannot be greater than 12000
- allow_leading_wildcard element in query_string query is not allowed.
- Wildcard queries can’t start with ‘*’ or ‘?’
- Regex queries can’t start with ‘.*’ or ‘.?’
- max_determinized_states
element inside regex queries is not allowed. - Size element for bucket aggregations cannot be greater than 1200.
- The bucket aggregation of the type significant_terms is not allowed.
- Nesting of the following bucket aggregations 3 or more times is not allowed: date_histogram,
geohash_grid, histogram, ip_ ranges, and terms. - fuzzy_max_expansions element in query_string query is not allowed.
- Max_expansions element in a fuzzy query is not allowed.
- When specifying the URL query param ’scroll’ it can not be greater than 6m.
- To retrieve the accurate number of hits of your query add to your request: “track_total_hits”:true
When using the Scroll API _search/scroll
- supported top-level elements of the Scroll API: size, scroll, scroll_id
- scroll element cannot be greater than 6m
- size element cannot be greater than 12000
