Search API - SumoLogic/sumo-java-client GitHub Wiki
This document describes the API exposed by the Sumo Logic service. It can be used to access resources and log data within the service by third party scripts and applications. The API follows REST (representational state transfer) patterns and is optimized for ease of use and consistency.
Any request made to the Sumo Logic API needs to include an HTTP Basic Authentication header (see RFC 2617) generated from a users email and password. All modern browsers, as well as command line tools like curl and wget support basic authentication. This is secure, since all communication with the Sumo Logic service happens over SSL/HTTPS.
The base URL for all Sumo Logic API calls is https://api.sumologic.com/api/{version}, where {version} is the version of the API. The API documented here is version v1, consequently, the base URL is:
https://api.sumologic.com/api/v1/
Resources are accepted and returned in JSON (JavaScript Object Notation) format by default. Support for other formats may be added in future versions.
Upon error, the API responds with an HTTP response and a JSON document with further details on the error. Here are some common HTTP responses:
Code | Description |
---|---|
400 Bad Request | The request was malformed. |
401 Unauthorized | The authentication did not succeed. |
403 Forbidden | No permission to access the requested resource. |
404 Not Found | A requested resource could not be found. |
500 Server Error | There was an error executing the request. |
503 Service Unavailable | The service is currently unavailable/in maintenance. |
All error responses return a JSON document with further details on the error:
{
"status":401,
"id": "AJ4DH-85NDL-8HYE2",
"code":"auth.failed",
"message":"The authentication has failed."
}
In the example above:
-
status
is identical to the HTTP response code -
id
uniquely identifies the occurrence of the error -
code
is a machine readable error code intended to distinguish between errors -
message
is a human readable error message for display to end user
These are some of the error codes you might encounter:
Code | Description |
---|---|
auth.failed | Login has failed. |
internal.error | Internal server error. |
unauthorized | Email and password could not be verified. |
service.unavailable | Service is currently unavailable. |
no.fields | The list of search fields was specified, but empty. |
invalid.timestamp.to | The 'to' field contains an invalid time. |
invalid.timestamp.from | The 'from' field contains an invalid time. |
to.smaller.than.from | The 'from' time cannot be larger than the 'to' time. |
invalid.limit | The 'limit' field is not a valid number. |
limit.too.small | The 'limit' field is too small. |
limit.too.big | The 'limit' field is bigger than the maximum. |
order.unknown | The 'order' can only be 'asc' or 'desc'. |
unknown.timezone | The 'tz' value is not a known time zone. |
empty.timezone | The 'tz' cannot be blank. |
no.query | No 'q' parameter was provided. |
timed.out | Search has timed out. Please retry. |
cancelled | Search was cancelled. Please retry. |
errors | The search has produced errors. |
no.counts | The search did not return counts. |
parse.error | Unable to parse query. |
message.retrieval.error | Error retrieving messages. |
aggregates.unsupported | Aggregated results cannot be rendered in the selected output type. |
raw.unsupported | Raw results cannot be rendered in the selected output type. |
output.closed | Output is closed. |
unknown.format | Requested format is unknown. |
We have an open source implementation of a Java Client for our API, which is also available on mvncentral.
It is published here: https://github.com/SumoLogic/sumo-java-client
This section defines the functions and endpoints for the API.
Executes a search on log data in the Sumo Logic service. The search query is formed as a standard HTTP query string, and is appended to the endpoint URL.
- Endpoint: https://api.sumologic.com/api/v1/logs/search
- Method: GET
About time parameters: If you do not enter any time parameters, Sumo Logic executes the query with the default time range, which is the last 15 minutes before now. "Now" is, of course, whenever you run the query.
Parameter | Required | Default | Description |
---|---|---|---|
q | yes | – | The full search query to be executed. |
from | no | -15m | ISO 8601 date of the time range to start search in. Can also be milliseconds since epoch. |
to | no | now | ISO 8601 date of the time range to end search in. Can also be milliseconds since epoch. |
tz | no | UTC | Time zone used for absolute times/dates in from and to and time stamps in results. |
format | no | json | The desired result format. Supported: 'json' and 'text'. Text is not supported for aggregation queries. |
If you need a quick method for escaping characters in your search query string, you can use this tool.
curl -u [email protected]:VeryTopSecret123 "https://api.sumologic.com/api/v1/logs/search?q=error&from=2012-04-04T13:01:02&to=2012-04-04T15:01:02"
Timestamps are in ISO8601 format.
[
{
"_sourcecategory" : "collector_metrics_reporter",
"_raw" : "2012-04-25 16:02:03,269 [metrics-log-reporter] INFO com.sumologic.util.scala.MetricsReporter - com.sumologic.util.log.Log.error (calls/m) count=1, fifteenMinuteRate=0.00, fiveMinuteRate=0.00, oneMinuteRate=0.00, meanRate=0.00",
"_sourcehost" : "nite-config-1",
"_receipttime" : 1335394925520,
"_sourcename" : "/usr/sumo/collector-17.0-299/logs/metrics-reporter.log",
"_messagetime" : 1335394923269
},
{
"_sourcecategory" : "config_metrics_reporter",
"_raw" : "2012-04-25 16:02:01,675 -0700 INFO [hostId=nite-config-1] [module=config] [logger=util.scala.MetricsReporter] [thread=metrics-log-reporter] com.sumologic.util.log.Log.error (calls/m) count=1, fifteenMinuteRate=0.00, fiveMinuteRate=0.00, oneMinuteRate=0.00, meanRate=0.00",
"_sourcehost" : "nite-config-1",
"_receipttime" : 1335394922523,
"_sourcename" : "/usr/sumo/config-17.0-786/logs/metrics-reporter.log",
"_messagetime" : 1335394921675
},
{
"_sourcecategory" : "search",
"_raw" : "2012-04-25 16:02:01,224 -0700 INFO [hostId=nite-ftsearch-1] [module=SEARCH] [logger=scala.search.SearchQueryHandler] [thread=MTP-SearchQueryHandler-18] [auth=User:[email protected]:000000000000106D:0000000000001055:false] [session=1ED0366263EAEB94] [customer=0000000000001055] [call=InboundSearchProtocol.startSearch] [session_path=2C3BF127361E38A3] Started search with sessionId: 1ED0366263EAEB94, customerId: 4181, query: (error OR fail*) AND exception",
"_sourcehost" : "nite-ftsearch-1",
"_receipttime" : 1335394922043,
"_sourcename" : "/usr/sumo/search-17.0-853/logs/search.log",
"_messagetime" : 1335394921224
},
{
"_sourcecategory" : "stream",
"_raw" : "2012-04-25 16:02:01,218 -0700 INFO [hostId=nite-ftsearch-1] [module=STREAM] [logger=stream.scala.delegates.SearchDelegate] [thread=flush-2C3BF127361E38A3] [auth=User:[email protected]:000000000000106D:0000000000001055:false] [call=InboundStreamProtocol.executeQuery] Calling search module with sessionId=1ED0366263EAEB94, customerId=4181, query=(error OR fail*) AND exception, timeRange=1335394020000 - 1335394920000",
"_sourcehost" : "nite-ftsearch-1",
"_receipttime" : 1335394922041,
"_sourcename" : "/usr/sumo/stream-17.0-927/logs/stream.log",
"_messagetime" : 1335394921218
}
]