GET
/
search
Execute a query
curl --request GET \
  --url https://api.eu.bronto.io/search \
  --header 'X-BRONTO-API-KEY: <api-key>'
{
  "explain": {
    "Execution time (millis)": "353"
  },
  "result": [
    {
      "@time": "2024-03-27 10:25:40.632 UTC",
      "@sequence": "111721913",
      "@raw": "10.0.0.1 - - [27/Mar/2024:10:54:39 +0000] \"GET / HTTP/1.1\" 200 721 \"-\" \"ELB-HealthChecker/2.0\"",
      "@context": "https://api.bronto.io/context?sequence=111721913&limit=1&from=23746675-7022-4985-bd74-4af9eba58d72&timestamp=1711535140632&direction=both",
      "metadata": {
        "logId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
        "timestamp": 1711535140632,
        "sequence": 111721913,
        "origin": "10.0.0.1",
        "context": "https://api.bronto.io/context?sequence=111721913&limit=1&from=23746675-7022-4985-bd74-4af9eba58d72&timestamp=1711535140632&direction=both",
        "selectedKeys": {
          "@time": "2024-03-27 10:25:40.632 UTC"
        },
        "unselectedKeys": {
          "id": "message_0",
          "current_time": 1711535140
        }
      },
      "links": [
        {
          "rel": "context",
          "href": "https://api.bronto.io/context?sequence=111721913&limit=1&from=23746675-7022-4985-bd74-4af9eba58d72&timestamp=1711535140632&direction=both"
        }
      ]
    }
  ],
  "events": [
    {
      "@raw": "10.0.108.203 - - [27/May/2024:23:47:27 +0000] \"GET / HTTP/1.1\" 200 675 \"-\" \"ELB-HealthChecker/2.0\"",
      "@time": "2024-05-27 23:26:34.331 UTC",
      "@status": "info",
      "message_kvs": {
        "method": "GET",
        "statusCode": "200",
        "path": "/"
      },
      "attributes": {
        "$private_ip": "10.0.22.230",
        "$environment": "production"
      },
      "metadata": {
        "service_id": "23746675-7022-4985-bd74-4af9eba58d72",
        "timestamp": 1716853347801,
        "sequence": 111721913,
        "context": "\"https://api.eu.bronto.io/context?sequence=213&from=37bdf479-7c95-4e81-982a-25d0680fb602&timestamp=1716853354331&direction=both\"\n"
      },
      "links": [
        {
          "rel": "context",
          "href": "https://api.bronto.io/context?sequence=111721913&limit=1&from=23746675-7022-4985-bd74-4af9eba58d72&timestamp=1711535140632&direction=both"
        }
      ]
    }
  ],
  "groups": [
    {
      "group": "[US]",
      "count": 124,
      "stat": "average(bytes)",
      "value": 50325.25,
      "timeseries": [
        {
          "@timestamp": "1711535140632",
          "count": 40,
          "value": 35.625,
          "quantiles": {
            "min": 691,
            "p25": 713.75,
            "p50": 796,
            "p75": 847.5,
            "p90": 1237,
            "p95": 1331,
            "p99": 1331,
            "p999": 1331,
            "max": 1331
          }
        }
      ]
    }
  ],
  "groups_series": [
    {
      "name": "host123",
      "count": 124,
      "stat": "average(duration_millis)",
      "value": 50325.25,
      "quantiles": {
        "min": 691,
        "p25": 713.75,
        "p50": 796,
        "p75": 847.5,
        "p90": 1237,
        "p95": 1331,
        "p99": 1331,
        "p999": 1331,
        "max": 1331
      },
      "series_resolution_ms": 60000,
      "timeseries": [
        {
          "@timestamp": "1711535140632",
          "count": 40,
          "value": 35.625,
          "quantiles": {
            "min": 691,
            "p25": 713.75,
            "p50": 796,
            "p75": 847.5,
            "p90": 1237,
            "p95": 1331,
            "p99": 1331,
            "p999": 1331,
            "max": 1331
          }
        }
      ],
      "groups_series": [
        {
          "name": "host123",
          "count": 124,
          "stat": "average(duration_millis)",
          "value": 50325.25,
          "series_resolution_ms": 60000,
          "timeseries": [
            {
              "@timestamp": "1711535140632",
              "count": 40,
              "value": 35.625,
              "quantiles": {
                "min": 691,
                "p25": 713.75,
                "p50": 796,
                "p75": 847.5,
                "p90": 1237,
                "p95": 1331,
                "p99": 1331,
                "p999": 1331,
                "max": 1331
              }
            }
          ]
        }
      ]
    }
  ],
  "metadata": {
    "select": [
      "host",
      "status",
      "method"
    ],
    "correlation_id": "00000000-0000-0000-0000-000000000000"
  },
  "totals": {},
  "pagination": {
    "next_page_url": "<string>"
  },
  "links": [
    {
      "rel": "next",
      "href": "<string>"
    }
  ]
}

Authorizations

X-BRONTO-API-KEY
string
header
required

Query Parameters

from
string

The ids of the logs to search. One of either the from or the from_tags parameters must be specified.

from_tags
string

The tags to search. Each tag should be in the form <key>:<value>, e.g., environment:production. One of either the from or the from_tags parameters must be specified. If both are specified then from_tags takes precedence, and the from value is ignored. If the key or the value contain a : or = character, then these can be escaped by wrapping the entire key or value in double-quotes ".

time_range
string

The relative time range for which to query data. Time range supported is from milliseconds to years. For an exact range, use from_ts and to_ts instead.

from_ts
integer

The starting time (unix time in milliseconds) for which to query data. Must be used together with to_ts. This parameter is incompatible with time_range.

to_ts
integer

The ending time (unix time in milliseconds) for which to query data. Must be used together with from_ts. This parameter is incompatible with time_range.

where
string

The where parameter is used to filter the results of your query. See https://docs.bronto.io/core-features/log-search/query-syntax for more details The filter can combine multiple terms using AND, OR, NOT.

select
string

The select parameter selects values of one or more specified keys and can be considered to be equivalent to returning columns from a table. It can select keys either by name, e.g. query params with select=ip_address or with an aggregate function (count, max, min, avg, sum) on the values of the specified key, e.g. query params with select=count(ip_address). Multiple selects can be used and they would separated by & in the query param, e.g. &select=count(ip_address)&select=count(hostname). The following internal columns are always available: @time, @origin & @raw

groups
string

The groups parameter specifies a key to use to arrange the results returned by an aggregate function, (such as count, max, min, avg, sum) into groups of values. The aggregate function returns a single value for each group. Multiple groups can be specified in the request if separated by &, e.g. query params with &groups=customer_id or &groups=customer_id&groups=hostname.

limit
integer
default:100

The maximum number of events that an event search should return. In a query with a group by, it limits the number of groups returned. It does not affect a query using aggregate functions.

Required range: 1 <= x <= 6666
num_of_slices
integer
default:10

The number of buckets to break the time series results into.

from_sequence
integer

Specifies the starting sequence number for the time range when used together with the from_ts parameter. Each log event has a sequence number which is unique within a millisecond, and can be used to query data with sub-millisecond time range precision. The sequence numbers are ordered such that earlier log events have lower sequence numbers.

most_recent_first
boolean

Flag to indicate the order in which results should be returned.

explain_only
boolean

If set to true then only the explain element of the response will be populated. The explain element will contain the Approximate bytes in time range attribute which provides an estimate for the amount of data present in the time range for the selected datasets. This parameter is set to false by default.

async_enabled
boolean
default:false

If set to true the server will respond in an asynchronous way: it will return immediately with a polling link (in the links element of the response body), which the client should check periodically to monitor the progress of the query and to receive partial results. This is useful for long running queries, and allows an API client to handle multiple requests concurrently without blocking. The behaviour of the async API is described here. If set to false the server will wait until the query has completed before returning a single 200 response with the completed results in the response body.

Response

200
application/json

Search results

The response is of type object.