Execute a query
You can execute queries on your log data by using Bronto’s syntax based on a subset of SQL as described in the documentation https://docs.brontobytes.io/core-features/log-search/query-syntax/.
Bronto supports both the GET and POST methods for executing a query, however the POST method is preferred as it avoids problems related to maximum URL length when the query parameters are very long.
In the context of the REST API, there are three distinct types queries which determine which parts of the response object are populated:
- Event search queries return a list of events matching the specified filter.
The response will be paginated if more than
limit(default 50) matching events are returned. - Aggregate queries apply aggregate functions such as count(), sum(), max(), avg() to your log data, and return a number or a timeseries of numbers.
- Group by aggregate queries return numerical results grouped according to the values for the attributes specified in the group by clause.
The query type is determined by the combination of the select and groups parameters.
Authorizations
Query Parameters
The ids of the logs to search.
One of either the from or the from_tags parameters must be specified.
The tags to search. Each tag should be in the form <key>:<value>, e.g., environment:production.
One of either the from or the from_tags parameters must be specified.
If both are specified then from_tags takes precedence, and the from value is ignored.
If the key or the value contain a : or = character, then these can be escaped by wrapping the entire key or value in double-quotes ".
The relative time range for which to query data. Time range supported is from milliseconds to years. For an exact range, use from_ts and to_ts instead.
The starting time (unix time in milliseconds) for which to query data. Must be used together with to_ts. This parameter is incompatible with time_range.
The ending time (unix time in milliseconds) for which to query data. Must be used together with from_ts. This parameter is incompatible with time_range.
The where parameter is used to filter the results of your query. See https://docs.bronto.io/core-features/log-search/query-syntax for more details The filter can combine multiple terms using AND, OR, NOT.
The select parameter selects values of one or more specified keys and can be considered to be equivalent to returning columns from a table. It can select keys either by name, e.g. query params with select=ip_address or with an aggregate function (count, max, min, avg, sum) on the values of the specified key, e.g. query params with select=count(ip_address). Multiple selects can be used and they would separated by & in the query param, e.g. &select=count(ip_address)&select=count(hostname). The following internal columns are always available: @time, @origin & @raw
The groups parameter specifies a key to use to arrange the results returned by an aggregate function, (such as count, max, min, avg, sum) into groups of values. The aggregate function returns a single value for each group. Multiple groups can be specified in the request if separated by &, e.g. query params with &groups=customer_id or &groups=customer_id&groups=hostname.
The maximum number of events that an event search should return. In a query with a group by, it limits the number of groups returned. It does not affect a query using aggregate functions.
1 <= x <= 6666The number of buckets to break the time series results into.
Specifies the starting sequence number for the time range when used together with the from_ts parameter.
Each log event has a sequence number which is unique within a millisecond,
and can be used to query data with sub-millisecond time range precision.
The sequence numbers are ordered such that earlier log events have lower sequence numbers.
Flag to indicate the order in which results should be returned.
If set to true then only the explain element of the response will be populated. The explain element will contain the Approximate bytes in time range attribute which provides an estimate for the amount of data present in the time range for the selected datasets. This parameter is set to false by default.
If set to true the server will respond in an asynchronous way: it will return immediately with a polling link (in the links element of the response body), which the client should check periodically to monitor the progress of the query and to receive partial results. This is useful for long running queries, and allows an API client to handle multiple requests concurrently without blocking. The behaviour of the async API is described here.
If set to false the server will wait until the query has completed before returning a single 200 response with the completed results in the response body.
Response
Search results
The response is of type object.