You can execute queries on your log data by using Bronto’s syntax based on a subset of SQL as described in the documentation https://docs.brontobytes.io/core-features/log-search/query-syntax/.
Bronto supports both the GET and POST methods for executing a query, however the POST method is preferred as it avoids problems related to maximum URL length when the query parameters are very long.
In the context of the REST API, there are three distinct types queries which determine which parts of the response object are populated:
limit
(default 50) matching events are returned.The query type is determined by the combination of the select
and groups
parameters.
The ids of the logs to search.
One of either the from
or the from_tags
parameters must be specified.
The tags to search. Each tag should be in the form <key>:<value>
, e.g., environment:production
.
One of either the from
or the from_tags
parameters must be specified.
If both are specified then from_tags
takes precedence, and the from
value is ignored.
If the key or the value contain a :
or =
character, then these can be escaped by wrapping the entire key or value in double-quotes "
.
The relative time range for which to query data. Time range supported is from milliseconds to years. For an exact range, use from_ts
and to_ts
instead.
The starting time (unix time in milliseconds) for which to query data. Must be used together with to_ts
. This parameter is incompatible with time_range
.
The ending time (unix time in milliseconds) for which to query data. Must be used together with from_ts
. This parameter is incompatible with time_range
.
The where parameter is used to filter the results of your query. See https://docs.bronto.io/core-features/log-search/query-syntax for more details The filter can combine multiple terms using AND, OR, NOT.
The select parameter selects values of one or more specified keys and can be considered to be equivalent to returning columns from a table. It can select keys either by name, e.g. query params with select=ip_address or with an aggregate function (count, max, min, avg, sum) on the values of the specified key, e.g. query params with select=count(ip_address). Multiple selects can be used and they would separated by & in the query param, e.g. &select=count(ip_address)&select=count(hostname). The following internal columns are always available: @time, @origin & @raw
The groups parameter specifies a key to use to arrange the results returned by an aggregate function, (such as count, max, min, avg, sum) into groups of values. The aggregate function returns a single value for each group. Multiple groups can be specified in the request if separated by &, e.g. query params with &groups=customer_id or &groups=customer_id&groups=hostname.
The maximum number of events that an event search should return. In a query with a group by, it limits the number of groups returned. It does not affect a query using aggregate functions.
1 <= x <= 6666
The number of buckets to break the time series results into.
Specifies the starting sequence number for the time range when used together with the from_ts
parameter.
Each log event has a sequence number which is unique within a millisecond,
and can be used to query data with sub-millisecond time range precision.
The sequence numbers are ordered such that earlier log events have lower sequence numbers.
Flag to indicate the order in which results should be returned.
If set to true
then only the explain
element of the response will be populated. The explain
element will contain the Approximate bytes in time range
attribute which provides an estimate for the amount of data present in the time range for the selected datasets. This parameter is set to false
by default.
If set to true
the server will respond in an asynchronous way: it will return immediately with a polling link (in the links
element of the response body), which the client should check periodically to monitor the progress of the query and to receive partial results. This is useful for long running queries, and allows an API client to handle multiple requests concurrently without blocking. The behaviour of the async API is described here.
If set to false
the server will wait until the query has completed before returning a single 200
response with the completed results in the response body.
Search results
The response is of type object
.