Log Analytics 2019 - Coralogix partners with IDC Research to uncover the latest requirements by leading companies

FREE REPORT

TUTORIALS

Rules API

coralogix parsing rules

This guide will help you use our Rules CRUD-API to create, read, update or delete rules and rule groups using an API.

In order to send an external request, the request headers should contain the following:

  1. Content-Type: application/JSON
  2. Cache-Control: no-cache
  3. Authorization: Bearer {an auto-generated API key, which can be found under Settings –> Account –> ‘API access’ and generate a new API key}

generate api key coralogix rules api

** Note that only admin users have access to the API, So the option above will be visible only to admin users.

Groups API

 Request typeURLBody
CreatePOSThttps://api.coralogix.com/api/v1/external/actions/rule"Name" [string] - the name of the group
ReadGEThttps://api.coralogix.com/api/v1/external/actions/rule/:groupId
UpdatePUThttps://api.coralogix.com/api/v1/external/actions/rule/:groupId"Name" [string] - the name of the rules group

"Enabled" [boolean] - indicates rather the group will be enabled or not after the update

"Order" [Int] - the order of the group (can be found after running the Read request)
DeleteDELETEURL: https://api.coralogix.com/api/v1/external/actions/rule/:groupId

Rules API

 Request typeURLBody
CreatePOSThttps://api.coralogix.co
m/api/v1/external/action
/rule/:groupId
"Type" [string] (block, allow, extract, parse, jsonextract, replace)

"Name" [string] - The name of the rule to create

"Rule" [string] - The regex of the rule [must be a regex that can compile]

(Optional) The body is allowed to contain: "SourceField" [string] - If not stated in the body then the default source field will be the log text. If you want to run the rule against any internal log JSON field use text.field_name.field_name2...

(Optional) The body is allowed to contain: "DestinationField" [string] - If not stated in the body then the default source field will be the log text. If you want to run the rule against any internal log JSON field use text.field_name.field_name2...

In case the rule type is 'extract', 'allow' or 'block' :
The body is not allowed to contain: "ReplaceNewVal" and "DestinationField"

In case the rule type is 'parse' :
The body is not allowed to contain: "ReplaceNewVal"

In case the rule type is 'jsonextract' :
The body is not allowed to contain: "ReplaceNewVal"

The body must contain "DestinationField" [string] ( one of those strings "category", "className", "methodName", "severity", "threadId")

In case the rule type is 'replace' :
The body must contain: "ReplaceNewVal"

The body may always contain (regardless of type) :
"RuleMatchers" [JSON] - Should be an array
Each array should contain objects (at least one) with the following :
"field" [string] - from the type: "applicationName", "subsystemName", "computerName", "category", "className", "methodName", "threadId", "text", "severity"

"constraint" [string] - The regex of the constraint [must be a regex that can compile]

"Description" [string] - a description for the rule

"Enabled" [boolean] - a boolean indicator for rather the rule is activated or not
ReadGEThttps://api.coralogix.co
m/api/v1/external/action
/:ruleId/rule/:groupId
UpdatePUThttps://api.coralogix.co
m/api/v1/external/action
/:ruleId/rule/:groupId
"Type" [string] (block, allow, extract, parse, jsonextract, replace)

"Name" [string] - The name of the rule to update

"Rule" [string] - The regex of the rule [must be a regex that can compile]

(Optional) The body is allowed to contain: "SourceField" [string] - If not stated in the body then the default source field will be the log text. If you want to run the rule against any internal log JSON field use text.field_name.field_name2...

(Optional) The body is allowed to contain: "DestinationField" [string] - If not stated in the body then the default source field will be the log text. If you want to run the rule against any internal log JSON field use text.field_name.field_name2...

In case the rule type is 'extract', 'allow' or 'block' :
The body is not allowed to contain: "ReplaceNewVal" and "DestinationField"

In case the rule type is 'parse' :
The body is not allowed to contain: "ReplaceNewVal"

In case the rule type is 'jsonextract' :
The body is not allowed to contain: "ReplaceNewVal"
The body may contain "SourceField" and "DestinationField" [string] ( one of those strings "category", "className", "methodName", "severity", "threadId")

The body may always contain (regardless of type):
"RuleMatchers" [JSON] - Should be an array

Each array should contain objects (at least one) with the following :
"field" [string] - from the type: "applicationName", "subsystemName", "computerName", "category", "className", "methodName", "threadId", "text", "severity"

"constraint" [string] - The regex of the constraint [must be a regex that can compile]

"Description" [string] - a description for the rule

"Enabled" [boolean] - a boolean indicator for rather the rule is activated or not
DeleteDELETEhttps://api.coralogix.co
m/api/v1/external/action
/:ruleId/rule/:groupId

Exporting multiple Rules and Groups

 Request typeURLHeaders
Get all RulesGEThttps://api.coralogix.
com/api/v1/rules
Content-Type: application/json

Authorization: Bearer { API KEY of team A }

Cache-Control: no-cache

The result will be a JSON object containing all the company Rules and Groups information
Transfer rulesPOSThttps://api.coralogix.
com/api/v1/external/actions
Content-Type: application/json

Authorization: Bearer { API KEY of team B }

Cache-Control: no-cache

Body should contain the JSON object from section 1.4 (copy and paste the output of the GET request to the body of the POST request *without changing anything*)

A message stating "Group and Rules transformed successfully" will be prompt once the transfer completed.

You can now check your second account and verify that all rules were transferred.

In order to get the groupId and ruleId and use them with the different requests URLs enter your account settings –> Rules and click on any rule and the browser URL will show these values:

coralogix rules crud api groupId and ruleId

To learn more about log parsing in Coralogix, read the tutorial.

Read our Regular Expressions 101 guide if you need some pointers on RegEx.

Start solving your production issues faster

Let's talk about how Coralogix can help you better understand your logs

No credit card required