GET Query

This request uses the GET Method to query your Log entries using a LEQL query.

Depending on your account type, please use the following API key and URL:

Account Type

URL

Key Type

InsightOps User

https://REGION.rest.logs.insight.rapid7.com/query/logs/:log_id/

Read-only

Replace REGION with your respective region. The following regions are available:

  • US: United States:
  • EU: Europe
  • CA: Canada
  • AU: Australia
  • AP: Japan

URL Parameters

ParameterAboutRequiredExample
log_idLogentries log keyTrue/logs/f9c6e2c1-ac7a-4a29-8faa-a8d70f96df71/
querya valid LEQL query to run against the log; url-encoded stringTruequery=where(foo=bar)
fromlower bound of the time range you want to query against; UNIX timestamp in millisecondsTruefrom=1450557004000
toupper bound of the time range you want to query against; UNIX timestamp in millisecondsTrueto=1460557604000
per_pagenumber of log entries to return per page. Default of 50Falseper_page=50
sequence_numberthe earlier sequence number of a log entry to start searching fromFalsesequence_number=10

Success Responses

Code: 202 for a query that successfully started.

  • Note for long running queries your first status code will always be 200 * Content:
json
1
{
2
"logs": [
3
"f9c6e2c1-ac7a-4a29-8faa-a8d70f96df70"
4
],
5
"id": "deace1fd-e605-41cd-a45c-5bf1ff0c3402-1",
6
"progress":0,
7
"query": {
8
"statement": "where(foo) calculate(count:x)",
9
"during": {
10
"to": 100000,
11
"from": 100
12
}
13
},
14
"links": [{
15
"rel": "self",
16
"href": "https://us.api.insight.rapid7.com/log_search/query/logs/deace1fd-e605-41cd-a45c-5bf1ff0c3402-1"
17
}]
18
}

Code: 200

  • Note when consuming a callback the status code will return 200 unless an error occurs * Content:
json
1
{
2
"logs": ["f9c6e2c1-ac7a-4a29-8faa-a8d70f96df70"],
3
"statistics": {...},
4
"leql": {
5
"statement": "where(something) calculate(count)",
6
"during": {
7
"from": 1,
8
"to": 10000
9
}
10
}
11
}

Long-running queries:

Depending on the size of the underlying dataset of the complexity of the query, a request may not yield a value straight away. In this case a well-formed query will return an HTTP 202 response and an ID you can use to check its state.

After consuming the callback all subsequent status codes will be 200 unless an error is encountered.

An example response would look like this:

1
{
2
"logs": [
3
"f9c6e2c1-ac7a-4a29-8faa-a8d70f96df70"
4
],
5
"id": "deace1fd-e605-41cd-a45c-5bf1ff0c3402-1",
6
"progress":0,
7
"query": {
8
"statement": "where(foo) calculate(count:x)",
9
"during": {
10
"to": 100000,
11
"from": 100
12
}
13
},
14
"links": [{
15
"rel": "self",
16
"href": "https://us.api.insight.rapid7.com/log_search/query/logs/deace1fd-e605-41cd-a45c-5bf1ff0c3402-1"
17
}]
18
}

You can poll this query for a value by issuing a GET request with the link returned in the response, e.g. curl https://us.api.insight.rapid7.com/log_search/query/logs/deace1fd-e605-41cd-a45c-5bf1ff0c3402-1 -H 'x-api-key: "00112233-4455-6677-8899-aabbccddeeff".

The endpoint /query/ will give one the following responses with a Status Code 200:

1
{
2
"id": "deace1fd-e605-41cd-a45c-5bf1ff0c3402-0",
3
"links": [{
4
"rel": "self",
5
"href": "https://us.api.insight.rapid7.com/log_search/query/logs/deace1fd-e605-41cd-a45c-5bf1ff0c3402-0"
6
}]
7
}

There is no limit on how frequently you can poll a query, or how many times you may poll it. However, if you do not poll a query resource for 20 seconds, it will expire. Subsequent calls to that resource will return a 404.

Error Response:

  • Code: 400 for bad user input

  • Code: 404 for a resource that was badly formed or could not be found

  • Code: 500 for any internal error, for example if the query could not be executed

Sample Call:

Python
1
import requests
2
import json
3
import time
4
5
API-KEY = 'YOUR API KEY GOES HERE'
6
7
def continue_request(req):
8
if 'links' in req.json():
9
continue_url = req.json()['links'][0]['href']
10
new_response = make_request(continue_url)
11
handle_response(new_response)
12
13
14
def handle_response(resp):
15
response = resp
16
time.sleep(5)
17
if response.status_code == 200:
18
print json.dumps(resp.json(), indent=4)
19
return
20
if response.status_code == 202:
21
continue_request(resp)
22
return
23
if response.status_code > 202:
24
print 'Error status code ' + str(response.status_code)
25
return
26
27
28
def make_request(provided_url=None):
29
headers = {'x-api-key': API-KEY}
30
31
url = "https://us.api.insight.rapid7.com/log_search/query/logs/f9c6e2c1-ac7a-4a29-8faa-a8d70f96df71/?query=where(foo=bar)&from=1450557604000&to=1460557604000"
32
if provided_url:
33
url = provided_url
34
req = requests.get(url, headers=headers)
35
return req
36
37
38
def print_query():
39
req = make_request()
40
handle_response(req)
41
42
def start():
43
print_query()
44
45
46
if __name__ == '__main__':
47
start()
Java
1
import org.json.JSONArray;
2
import org.json.JSONObject;
3
4
import java.io.BufferedReader;
5
import java.io.InputStreamReader;
6
import java.net.HttpURLConnection;
7
import java.net.URL;
8
9
public class leRest {
10
11
12
13
public static void main(String[] args) {
14
15
try {
16
sendGet();
17
} catch (Exception e) {
18
e.printStackTrace();
19
}
20
}
21
22
private static void sendGet() throws Exception {
23
String USER_AGENT = "Mozilla/5.0";
24
25
// user details here
26
String logKey = "36bb726a-8020-46c7-bac9-7720571ad6a9";
27
String query = "where(redis)calculate(average:json.stats.networks.eth0.rx_packets)";
28
String from = "1474878248000";
29
String to = "1474964648000";
30
String apiKey = "3afd878f-979c-41e4-a99f-98b63d64079f";
31
//URL for request
32
String url = "https://rest.logentries.com/query/logs/"+logKey+"/?query="+query+"&from="+from+"&to="+to;
33
34
URL obj = new URL(url);
35
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
36
37
// optional default is GET
38
con.setRequestMethod("GET");
39
40
//add request header
41
con.setRequestProperty("User-Agent", USER_AGENT);
42
con.setRequestProperty("x-api-key", apiKey);
43
con.setRequestProperty("Content-Type", "application/json");
44
con.setUseCaches(false);
45
con.setDoInput(true);
46
con.setDoOutput(true);
47
48
BufferedReader in = new BufferedReader(
49
new InputStreamReader(con.getInputStream()));
50
String inputLine;
51
StringBuffer response = new StringBuffer();
52
53
while ((inputLine = in.readLine()) != null) {
54
response.append(inputLine);
55
}
56
in.close();
57
58
String href = getHref(response.toString());
59
60
getLogs(href,apiKey);
61
62
}
63
64
public static String getHref(String response){
65
66
JSONObject jObj = new JSONObject(response);
67
JSONArray jLink = jObj.getJSONArray("links");
68
JSONObject aLink = jLink.getJSONObject(0);
69
String href = aLink.getString("href");
70
71
return href;
72
73
}
74
75
public static void getLogs(String href,String apiKey) throws Exception{
76
77
String USER_AGENT = "Mozilla/5.0";
78
//delay to handle complete original request
79
Thread.sleep(2000);
80
URL obj = new URL(href);
81
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
82
83
// optional default is GET
84
con.setRequestMethod("GET");
85
86
//add request header
87
con.setRequestProperty("User-Agent", USER_AGENT);
88
con.setRequestProperty("x-api-key", apiKey);
89
con.setRequestProperty("Content-Type", "application/json");
90
con.setUseCaches(false);
91
con.setDoInput(true);
92
con.setDoOutput(true);
93
94
BufferedReader input = new BufferedReader(
95
new InputStreamReader(con.getInputStream()));
96
String lineIn;
97
StringBuffer res = new StringBuffer();
98
99
while ((lineIn = input.readLine()) != null) {
100
res.append(lineIn);
101
}
102
input.close();
103
104
//print result
105
System.out.println("\n"+res.toString());
106
}
107
108
}
109

Notes:

  • The maximum supported length of the URL is 8192 characters
  • Pagination is only supported with 'where' queries only
  • The maximum page size is currently limited to 500 log entries
  • There is no limit on how frequently you can poll a query, or how many times you may poll it. However, if you do not poll a query resource for 20 seconds, it will expire. Subsequent calls to that resource will return a 404.
  • From and To values must be in miliseconds otherwise your query will fail with a 404. A good way to proof your from and to values is to use epoch converter site to verify the date.characters GET per_page above maximum Depending parameter completed ref:"Next" responses:
  • kvp_info above will be returned only if kvp_info=true parameter is supplied as part of the query URL.
  • A header with key 'x-beyond-retention' and a value 'true' will be returned in the response if the running query is beyond retention of the account or the log and there is no imported log data for that log. This header will not be present in the response if the query is not beyond retention.