Log Insight 3.6: Enhanced Query API

Log Insight introduced a query API in version 3.3. In 3.6, the API has been enhanced to bring more parity to the existing UI capabilities. Read on to learn more!

li-logo

With Log Insight 3.6, you now have the following options also available to you:

  • GET calls support a “duration” response which returns the number of milliseconds to compute the result.
  • key=value pairs support “content-pack-fields=<namespace>” which if provided, then fields defined in the given content-pack are returned in the response payload in addition to static fields.
  • Aggregation supports “group-by-field=<foo>“. Use subsequent key=value pairs to specify custom bins for numeric fields: use bin-width=12345 to specify fixed-width bins; use bins=10,100,500 to specify a specific set of bin boundaries; if neither is specified then each individual value of the field is assigned to its own bucket.
  • Aggregation supports “order-by-function=<function>“, “order-by-field=<bar>“, “order-by-direction=<ASC|DESC>” which allows you to specify the sort key(s) and direction.  With none of these options, the default behavior is a descending sort by each bin’s time range.  But if any options are specified, then this default is completely overridden by the given options, so you must explicitly specify order-by-field=timestamp to restore this default behavior.  Note that order-by-field is required for all functions exception COUNT where it is prohibited.  For example, “order-by-function=COUNT&order-by-function=UCOUNT&order-by-field=hostname&order-by-direction=ASC” sorts by a composite keys: first by the number of events (largest first) and then by the number of distinct hostnames (smallest first).  Note also that for “small” datasets where the number of groups is less than the ‘limit’ parameter, these ordering options are not very important because the client can sort the data any way it want.  But for “large” datasets with more than “limit” groups, these ordering options can dramatically change the returned data because the groups that are returned depend on the sorting key.

Now if only there was some official API documentation…

© 2016, Steve Flanders. All rights reserved.

Leave a Reply