GET Query
This request uses the GET Method to query your Log entries using a LEQL query.
Depending on your account type, please use the following API key and URL:
Account Type | URL | Key Type |
---|---|---|
InsightOps User |
| Read-only |
Replace REGION
with your respective region. The following regions are available:
- US: United States:
- EU: Europe
- CA: Canada
- AU: Australia
- AP: Japan
URL Parameters
Parameter | About | Required | Example |
---|---|---|---|
log_id | Logentries log key | True | /logs/f9c6e2c1-ac7a-4a29-8faa-a8d70f96df71/ |
query | a valid LEQL query to run against the log; url-encoded string | True | query=where(foo=bar) |
from | lower bound of the time range you want to query against; UNIX timestamp in milliseconds | True | from=1450557004000 |
to | upper bound of the time range you want to query against; UNIX timestamp in milliseconds | True | to=1460557604000 |
per_page | number of log entries to return per page. Default of 50 | False | per_page=50 |
sequence_number | the earlier sequence number of a log entry to start searching from | False | sequence_number=10 |
Success Responses
Code: 202
for a query that successfully started.
- Note for long running queries your first status code will always be 200 * Content:
json
1{2"logs": [3"f9c6e2c1-ac7a-4a29-8faa-a8d70f96df70"4],5"id": "deace1fd-e605-41cd-a45c-5bf1ff0c3402-1",6"progress":0,7"query": {8"statement": "where(foo) calculate(count:x)",9"during": {10"to": 100000,11"from": 10012}13},14"links": [{15"rel": "self",16"href": "https://us.api.insight.rapid7.com/log_search/query/logs/deace1fd-e605-41cd-a45c-5bf1ff0c3402-1"17}]18}
Code: 200
- Note when consuming a callback the status code will return 200 unless an error occurs * Content:
json
1{2"logs": ["f9c6e2c1-ac7a-4a29-8faa-a8d70f96df70"],3"statistics": {...},4"leql": {5"statement": "where(something) calculate(count)",6"during": {7"from": 1,8"to": 100009}10}11}
Long-running queries:
Depending on the size of the underlying dataset of the complexity of the query, a request may not yield a value straight away. In this case a well-formed query will return an HTTP 202 response and an ID you can use to check its state.
After consuming the callback all subsequent status codes will be 200 unless an error is encountered.
An example response would look like this:
1{2"logs": [3"f9c6e2c1-ac7a-4a29-8faa-a8d70f96df70"4],5"id": "deace1fd-e605-41cd-a45c-5bf1ff0c3402-1",6"progress":0,7"query": {8"statement": "where(foo) calculate(count:x)",9"during": {10"to": 100000,11"from": 10012}13},14"links": [{15"rel": "self",16"href": "https://us.api.insight.rapid7.com/log_search/query/logs/deace1fd-e605-41cd-a45c-5bf1ff0c3402-1"17}]18}
You can poll this query for a value by issuing a GET request with the link returned in the response, e.g. curl https://us.api.insight.rapid7.com/log_search/query/logs/deace1fd-e605-41cd-a45c-5bf1ff0c3402-1 -H 'x-api-key: "00112233-4455-6677-8899-aabbccddeeff"
.
The endpoint /query/ will give one the following responses with a Status Code 200:
1{2"id": "deace1fd-e605-41cd-a45c-5bf1ff0c3402-0",3"links": [{4"rel": "self",5"href": "https://us.api.insight.rapid7.com/log_search/query/logs/deace1fd-e605-41cd-a45c-5bf1ff0c3402-0"6}]7}
There is no limit on how frequently you can poll a query, or how many times you may poll it. However, if you do not poll a query resource for 20 seconds, it will expire. Subsequent calls to that resource will return a 404.
Error Response:
Code:
400
for bad user inputCode:
404
for a resource that was badly formed or could not be foundCode:
500
for any internal error, for example if the query could not be executed
Sample Call:
Python
1import requests2import json3import time45API-KEY = 'YOUR API KEY GOES HERE'67def continue_request(req):8if 'links' in req.json():9continue_url = req.json()['links'][0]['href']10new_response = make_request(continue_url)11handle_response(new_response)121314def handle_response(resp):15response = resp16time.sleep(5)17if response.status_code == 200:18print json.dumps(resp.json(), indent=4)19return20if response.status_code == 202:21continue_request(resp)22return23if response.status_code > 202:24print 'Error status code ' + str(response.status_code)25return262728def make_request(provided_url=None):29headers = {'x-api-key': API-KEY}3031url = "https://us.api.insight.rapid7.com/log_search/query/logs/f9c6e2c1-ac7a-4a29-8faa-a8d70f96df71/?query=where(foo=bar)&from=1450557604000&to=1460557604000"32if provided_url:33url = provided_url34req = requests.get(url, headers=headers)35return req363738def print_query():39req = make_request()40handle_response(req)4142def start():43print_query()444546if __name__ == '__main__':47start()
Java
1import org.json.JSONArray;2import org.json.JSONObject;34import java.io.BufferedReader;5import java.io.InputStreamReader;6import java.net.HttpURLConnection;7import java.net.URL;89public class leRest {10111213public static void main(String[] args) {1415try {16sendGet();17} catch (Exception e) {18e.printStackTrace();19}20}2122private static void sendGet() throws Exception {23String USER_AGENT = "Mozilla/5.0";2425// user details here26String logKey = "36bb726a-8020-46c7-bac9-7720571ad6a9";27String query = "where(redis)calculate(average:json.stats.networks.eth0.rx_packets)";28String from = "1474878248000";29String to = "1474964648000";30String apiKey = "3afd878f-979c-41e4-a99f-98b63d64079f";31//URL for request32String url = "https://rest.logentries.com/query/logs/"+logKey+"/?query="+query+"&from="+from+"&to="+to;3334URL obj = new URL(url);35HttpURLConnection con = (HttpURLConnection) obj.openConnection();3637// optional default is GET38con.setRequestMethod("GET");3940//add request header41con.setRequestProperty("User-Agent", USER_AGENT);42con.setRequestProperty("x-api-key", apiKey);43con.setRequestProperty("Content-Type", "application/json");44con.setUseCaches(false);45con.setDoInput(true);46con.setDoOutput(true);4748BufferedReader in = new BufferedReader(49new InputStreamReader(con.getInputStream()));50String inputLine;51StringBuffer response = new StringBuffer();5253while ((inputLine = in.readLine()) != null) {54response.append(inputLine);55}56in.close();5758String href = getHref(response.toString());5960getLogs(href,apiKey);6162}6364public static String getHref(String response){6566JSONObject jObj = new JSONObject(response);67JSONArray jLink = jObj.getJSONArray("links");68JSONObject aLink = jLink.getJSONObject(0);69String href = aLink.getString("href");7071return href;7273}7475public static void getLogs(String href,String apiKey) throws Exception{7677String USER_AGENT = "Mozilla/5.0";78//delay to handle complete original request79Thread.sleep(2000);80URL obj = new URL(href);81HttpURLConnection con = (HttpURLConnection) obj.openConnection();8283// optional default is GET84con.setRequestMethod("GET");8586//add request header87con.setRequestProperty("User-Agent", USER_AGENT);88con.setRequestProperty("x-api-key", apiKey);89con.setRequestProperty("Content-Type", "application/json");90con.setUseCaches(false);91con.setDoInput(true);92con.setDoOutput(true);9394BufferedReader input = new BufferedReader(95new InputStreamReader(con.getInputStream()));96String lineIn;97StringBuffer res = new StringBuffer();9899while ((lineIn = input.readLine()) != null) {100res.append(lineIn);101}102input.close();103104//print result105System.out.println("\n"+res.toString());106}107108}109
Notes:
- The maximum supported length of the URL is 8192 characters
- Pagination is only supported with 'where' queries only
- The maximum page size is currently limited to 500 log entries
- There is no limit on how frequently you can poll a query, or how many times you may poll it. However, if you do not poll a query resource for 20 seconds, it will expire. Subsequent calls to that resource will return a 404.
From
andTo
values must be in miliseconds otherwise your query will fail with a404
. A good way to proof yourfrom
andto
values is to use epoch converter site to verify the date.characters GETper_page
above maximum Depending parameter completedref:"Next"
responses:- kvp_info above will be returned only if kvp_info=true parameter is supplied as part of the query URL.
- A header with key 'x-beyond-retention' and a value 'true' will be returned in the response if the running query is beyond retention of the account or the log and there is no imported log data for that log. This header will not be present in the response if the query is not beyond retention.