swagger: '2.0' schemes: [ https ] host: api.logz.io x-servers: - url: https://api.logz.io description: US East (Northern Virginia) - url: https://api-au.logz.io description: Asia Pacific (Sydney) - url: https://api-ca.logz.io description: Canada (Central) - url: https://api-eu.logz.io description: Europe (Frankfurt) - url: https://api-uk.logz.io description: Europe (London) basePath: / produces: [ application/json ] consumes: [ application/json ] info: description: >- # Introduction This API is documented using the **OpenAPI 2.0** specification. The OpenAPI Specification file is also [available for download](https://github.com/logzio/logz-api/blob/master/examples/logzio-public-api.yml) # Automation You can automate most of our APIs using our [Terraform provider](https://docs.logz.io/integrations/terraform/). # Account region and API URL To find your account region, sign in to Logz.io and look at the URL in the address bar. Your API URL has the same two-letter code that you see in the address bar when you're logged in. For more information, see [Account region](https://docs.logz.io/user-guide/accounts/account-region.html). # Authentication The Logz.io API is available to Pro and Enterprise plan subscribers. You can generate and delete API tokens in your [Logz.io account](https://app.logz.io/#/dashboard/settings/manage-tokens/api). # Rate limiting API call and response rates are limited to 100 concurrent API requests per account. To verify your rate limits or request changes to your plan, please contact your account manager or the Customer Success Team. # Compression Compression is supported and recommended for all API calls. To enable compression for API responses, add the following request header: Header Name: Accept-Encoding Header Value: deflate, gzip Compression is STRONGLY RECOMMENDED for 'Search' and 'Scroll' APIs, due to their potentially large response sizes. title: Logz.io API termsOfService: 'https://logz.io/about-us/terms-of-use/' contact: email: help@logz.io url: https://docs.logz.io/ license: name: Apache 2.0 url: 'http://www.apache.org/licenses/LICENSE-2.0.html' securityDefinitions: X-API-TOKEN: description: >- You can manage your API tokens from the [Logz.io API tokens](https://app.logz.io/#/dashboard/settings/manage-tokens/api) page. API tokens are account-specific. You will need to be logged into the relevant Log Management or SIEM account to view the API tokens associated with it. To manage your API tokens, log into the relevant account in your Logz.io platform, click the gear in the top-right menu, and select [**Tools > Manage tokens > API tokens**](https://app.logz.io/#/dashboard/settings/manage-tokens/api). It's important to keep your tokens secure. API tokens carry privileges to make changes to users and accounts, so if you believe an API token has been compromised, delete it, and replace it with a new token in your integrations. type: apiKey in: header name: X-API-TOKEN security: - X-API-TOKEN: [] tags: - name: Metrics gateway description: >- Metrics API Gateway to supported endpoints. In the context of this API, "*Grafana*" refers to the Logz.io fork of Grafana, thus this gateway provides support for the APIs of the Logz.io fork of Grafana and for some of the open source Grafana APIs. Read more about the fork created by Logz.io [here.](https://logz.io/about-us/forked-statement/) **Note:** Run these endpoints with an API token belonging to the main Log Management account associated with your Metrics account. - name: Who am I - name: Manage time-based log accounts description: >- Use these API requests to manage time-based log accounts: * Create, update, or delete a sub account. * Allocate daily capacity to the main account and/or sub accounts. * Retrieve account activity stats and/or account configuration details. ### Flexible storage & shared volume Flexible storage and shared volume allow accounts to share indexing capacity. To enable shared volume, go to the [Manage accounts page](https://app.logz.io/#/dashboard/settings/manage-accounts) in the Logz.io app and toggle the button **Use flexible volume** to turn it on. To determine whether flexible storage is enabled, run a `Get` request to retrieve account details. * If `isFlexible` is true, flexible storage is enabled and every account has reserved capacity set by the parameter `reservedDailyGB`. * If false, flexible storage is disabled and the parameter `reservedDailyGB` is null. - name: Search logs description: >- Use the Elasticsearch Search API DSL query language to search your Logz.io data. To ensure system performance and data availability, we've introduced some limitations to the original Elasticsearch specification. These limitations are detailed in the applicable API calls below. - name: Deployments description: >- Send deployment logs by API to automatically correlate exceptions with service deployments directly in your Logz.io Exceptions tab. - name: Insights description: >- Logz.io monitors your logs for Insights to help you preempt issues and alert you of potential problems. There are two types of Insights: * LOGCEPTION - Application errors and exceptions identified in the stack trace. * PUBLIC_CI - Cognitive Insights correlate your logs with vulnerabilities and issues that are trending in the open source community. You have the option to set up an alert so you can get notified of the details when new or recurring insights are spotted in your system. **Note:** This endpoint requires permissions that must be set by our Support team. Please email [help@logz.io](mailto:help@logz.io) for assistance. - name: Retrieve audit trail - name: Connect to CloudTrail description: Establish a connection to ship logs to the Logz.io observability platform via an S3 bucket. Supports CloudTrail logs. - name: Connect to S3 Buckets description: >- Establish a connection for the Logz.io fetcher to fetch logs to the Logz.io observability platform via an S3 bucket. Supports ELB, S3 Access, CloudFront, VPC Flow logs. If you're looking to fetch CloudTrail logs, use the designated endpoints. Authentication can be established with either S3 secret credentials or ARNs (for AWS IAM Roles). Authentication with S3 Secret Credentials is supported for backward compatibility. Authentication with ARNs (for IAM Roles) is strongly recommended. - name: Manage notification endpoints description: >- Logz.io can send notifications to your preferred workspaces, such as Opsgenie, BigPanda, PagerDuty, and Slack. Notifications are typically sent when alerts are triggered, when a user shares a Kibana object, or when Logz.io Insights identifies new exceptions in your logs. Use these API endpoints to create, update, or delete notification endpoints. If you configure a custom endpoint, you can configure the notification message body. Otherwise, you can use any of the available preconfigured endpoints. - name: Import or export Kibana objects - name: Manage log shipping tokens description: >- Use these API endpoints to create, update, retrieve, or delete log shipping tokens. - name: Drop filters description: >- Drop filters provide a solution for filtering out logs before they are indexed in your account to help lower costs and reduce account volume. Drop filters evaluate logs for exact field:value matches. Any log results that match active drop filters will not be indexed. This means they will not appear in your Kibana account, will not be searchable, trigger alerts, or appear in dashboards. Archiving is not affected by drop filters. Logs dropped by drop filters will still be archived, if archiving is configured for the account. With archiving configured, you can readily use drop filters to reduce logging bulk and restore the logs in the event that they become relevant. - name: Manage shared tokens description: >- You can share Kibana visualization and dashboard snapshots using shared tokens. Snapshots are stored for 30 days and automatically deleted afterwards. Token filters are available to help you control what data to expose. **Note:** Shared token endpoints require permissions that must be set by our Support team. Please email help@logz.io for assistance. - name: Manage API tokens description: >- You can manage API tokens for sub accounts. - name: Logz.io snapshots - name: Manage users - name: Alerts description: >- Logz.io alerts use a Kibana search query to continuously scan your logs and alert you when a certain set of conditions is met. The simplest alerts can use a simple search query or a particular filter, but others can be quite complex and involve several conditions with varying thresholds. When alerts trigger, they write event logs. Event logs of triggered alerts are always available and searchable in Kibana - just filter for `_exists_:logzio-alert`. But you also have the option to add notifications, and control their contents, format, and who they are sent to. For the deprecated alerting version, please see our [public GitHub project](https://github.com/logzio/public-api/tree/master/alerts). - name: Security rules description: >- Security rules help you connect the dots between your data sources and events that could indicate a security threat or breach. Your Cloud SIEM account comes pre-configured with security rules for different attack types and security use cases. These built-in rules are protected, and there are limitations on the changes that can be made to them. Pre-configured rules can be updated by adding notification endpoints (like email or Slack), changing trigger thresholds and severities, and adding tags, as described in detail in the endpoint. You can also create new security rules to supplement the built-in rules. - name: Security account description: >- A security account with SIEM allows you to use the SIEM platform. You can create a SIEM account using an API call. - name: Security events description: >- A security event is logged whenever a security rule triggers in your [Logz.io Cloud SIEM account](https://app.logz.io/#/dashboard/security/rules/rule-definitions?from=0&sortBy=updatedAt&sortOrder=DESC). Your Logz.io Cloud SIEM is pre-loaded with hundreds of security rules created and maintained by Logz.io's security analysts. The list continues to be expanded and updated on a regular basis. You can also add your own security rules. To investigate into security events, you can begin by running a bulk query to fetch security event logs, either with or without applying filtering criteria. This query returns all of the events that match the query parameters and can potentially fetch events going back many months. Whenever you encounter a particular event you would like to further investigate, you can run the drilldown query to fetch the logs that triggered the security event to delve deeper into the event details. These queries can be used to integrate with an automated response solution such as Cortex xSOAR or simply to understand your security posture and identify suspicious activity in your accounts. - name: Archive logs description: >- You can archive logs to an AWS S3 bucket or Azure Blob Storage. Archiving gives you the option to restore logs and query them after they have expired from your time-based account. You can use the following endpoints to retrieve, set up, test, and update an account's archive settings. Note: Logs are archived before they are indexed and analyzed by Logz.io. If you are using drop filters, note that dropped logs will still be archived. - name: Restore logs description: >- You can restore data from your active archiving account, whether an AWS S3 bucket or Azure Blob Storage. Restoring data gives you the option to query logs after they have expired from your time-based account. You can use the following endpoints to initiate a new restore process, retrieve, set up, test, and update an account's archive settings. Note: Logs that are dropped by drop filters are still archived and can be restored. You can temporarily disable drop filters to restore the data. - name: Lookups description: >- Lookups are custom lists of values that allow you to easily filter by large lists in Kibana. Instead of adding a long list of elements to your query, you can create lookup lists and filter by them using the operators `in lookups`/`not in lookups`. For this purpose, all of the values in a lookup list should be mapped to the same field in Kibana. [Learn more in the user guide](/user-guide/lookups/) - name: Grafana alerting description: >- To create an alert, use the Grafana dashboards API. - name: Authentication groups description: >- Before you can use Authentication Groups API, Logz.io support will need to enable [SSO](https://docs.logz.io/user-guide/users/single-sign-on/) for your account. x-tagGroups: - name: Log Monitoring tags: - Search logs - Alerts - Deployments - Insights - Logz.io snapshots - name: Cloud SIEM tags: - Security account - Security rules - Security events - Lookup lists - name: Account administration tags: - Manage users - Manage metrics account - Associated accounts - Authentication groups - Who am I - Manage time-based log accounts - Manage shared tokens - Manage API tokens - Manage notification endpoints - Import or export Kibana objects - name: Manage data shipping tags: - Manage log shipping tokens - Drop filters - Archive logs - Restore logs - Parsing - Delete object API - name: Data security tags: - Retrieve audit trail - name: Connect to AWS resources tags: - Connect to CloudTrail - Connect to S3 Buckets - name: Metrics API Gateway tags: - Grafana contact points - Grafana data source - Grafana alerting provisioning - Grafana silence management - Grafana annotations - Grafana dashboards - Grafana dashboard search - Grafana snapshots - Grafana get all folders description: Metrics API Gateway to supported endpoints. paths: # ::::: PROMETHEUS /v1/metrics/prometheus/api/v1/query: get: operationId: 'GetInstantQuery' summary: 'Evaluates an instant query at a single point in time' description: | Retrieve data by submitting a GET request with query parameters. Please ensure to change the region in the URL to match your account's region. tags: - Query parameters: - in: query name: query type: string required: true description: 'Prometheus expression query string.' - in: query name: time type: string required: false description: 'Evaluation timestamp as an RFC3339 or Unix timestamp. Optional.' - in: query name: timeout type: string required: false description: 'Evaluation timeout. Defaults to the value of the -query.timeout flag.' responses: 200: description: 'Query results in a defined format.' schema: $ref: '#/definitions/QueryResult' 400: description: 'Invalid request parameters.' 500: description: 'Internal server error.' post: operationId: 'PostInstantQuery' summary: 'Evaluates an instant query at a single point in time using POST' description: | Submit query data in the request body using URL-encoded form parameters. Please ensure to change the region in the URL to match your account's region. tags: - Query consumes: - application/x-www-form-urlencoded parameters: - in: formData name: query type: string required: true description: 'Prometheus expression query string.' - in: formData name: time type: string required: false description: 'Evaluation timestamp as an RFC3339 or Unix timestamp. Optional.' - in: formData name: timeout type: string required: false description: 'Evaluation timeout. Defaults to the value of the -query.timeout flag.' responses: 200: description: 'Successful query evaluation.' schema: $ref: '#/definitions/QueryResult' 400: description: 'Invalid request parameters.' 500: description: 'Internal server error.' /v1/metrics/prometheus/api/v1/query_range: get: operationId: 'GetRangeQuery' summary: 'Evaluates an expression query over a range of time' description: | Retrieve data over a specified time range by submitting a GET request with query parameters. Please ensure to change the region in the URL to match your account's region. tags: - Range Query parameters: - in: query name: query type: string required: true description: 'Prometheus expression query string.' - in: query name: start type: string required: true description: 'Start timestamp, inclusive, as an RFC3339 or Unix timestamp.' - in: query name: end type: string required: true description: 'End timestamp, inclusive, as an RFC3339 or Unix timestamp.' - in: query name: step type: string required: true description: 'Query resolution step width in seconds.' - in: query name: timeout type: string required: false description: 'Evaluation timeout. Optional, defaults to the value of the -query.timeout flag.' responses: 200: description: 'Range query results in a defined format.' schema: $ref: '#/definitions/RangeQueryResult' 400: description: 'Invalid request parameters.' 500: description: 'Internal server error.' post: operationId: 'PostRangeQuery' summary: 'Evaluates an expression query over a range of time using POST' description: | Submit query data in the request body using URL-encoded form parameters. Please ensure to change the region in the URL to match your account's region. tags: - Range Query consumes: - application/x-www-form-urlencoded parameters: - in: formData name: query type: string required: true description: 'Prometheus expression query string.' - in: formData name: start type: string required: true description: 'Start timestamp, inclusive, as an RFC3339 or Unix timestamp.' - in: formData name: end type: string required: true description: 'End timestamp, inclusive, as an RFC3339 or Unix timestamp.' - in: formData name: step type: string required: true description: 'Query resolution step width in seconds.' - in: formData name: timeout type: string required: false description: 'Evaluation timeout. Optional, defaults to the value of the -query.timeout flag.' responses: 200: description: 'Successful range query evaluation.' schema: $ref: '#/definitions/RangeQueryResult' 400: description: 'Invalid request parameters.' 500: description: 'Internal server error.' /v1/metrics/prometheus/api/v1/series: get: operationId: 'GetSeriesByLabels' summary: 'Returns the list of time series that match a certain label set.' description: | Retrieve time series data by submitting a GET request with label matchers and time range parameters. Please ensure to change the region in the URL to match your account's region. tags: - Time Series parameters: - in: query name: 'match[]' type: 'array' required: true items: type: 'string' collectionFormat: multi description: 'Series selector that selects the series to return. At least one must be provided.' - in: query name: start type: 'string' required: true description: 'Start timestamp, inclusive, as an RFC3339 or Unix timestamp.' - in: query name: end type: 'string' required: true description: 'End timestamp, inclusive, as an RFC3339 or Unix timestamp.' - in: query name: limit type: 'integer' required: false description: 'Maximum number of returned series. Optional.' responses: 200: description: 'List of matching time series.' schema: $ref: '#/definitions/SeriesResult' 400: description: 'Invalid request parameters.' 500: description: 'Internal server error.' post: operationId: 'PostSeriesByLabels' summary: 'Returns the list of time series that match a certain label set using POST.' description: | Submit label matchers and time range data in the request body using URL-encoded form parameters. Please ensure to change the region in the URL to match your account's region. tags: - Time Series consumes: - application/x-www-form-urlencoded parameters: - in: formData name: 'match[]' type: 'array' required: true items: type: 'string' collectionFormat: multi description: 'Series selector that selects the series to return. At least one must be provided.' - in: formData name: start type: 'string' required: true description: 'Start timestamp, inclusive, as an RFC3339 or Unix timestamp.' - in: formData name: end type: 'string' required: true description: 'End timestamp, inclusive, as an RFC3339 or Unix timestamp.' - in: formData name: limit type: 'integer' required: false description: 'Maximum number of returned series. Optional.' responses: 200: description: 'Successful retrieval of matching time series.' schema: $ref: '#/definitions/SeriesResult' 400: description: 'Invalid request parameters.' 500: description: 'Internal server error.' /v1/metrics/prometheus/api/v1/labels: get: operationId: 'GetLabelNames' summary: 'Returns a list of label names' description: | Retrieve a list of all label names optionally filtered by a time range and series selectors. Please ensure to change the region in the URL to match your account's region. tags: - Labels parameters: - in: query name: start type: 'string' required: false description: 'Start timestamp, inclusive, as an RFC3339 or Unix timestamp. Optional.' - in: query name: end type: 'string' required: false description: 'End timestamp, inclusive, as an RFC3339 or Unix timestamp. Optional.' - in: query name: 'match[]' type: 'array' required: false items: type: 'string' collectionFormat: multi description: 'Series selector to narrow down the series from which to read the label names. Optional.' - in: query name: limit type: 'integer' required: false description: 'Maximum number of label names to return. Optional.' responses: 200: description: 'List of label names.' schema: $ref: '#/definitions/LabelNamesResult' 400: description: 'Invalid request parameters.' 500: description: 'Internal server error.' post: operationId: 'PostLabelNames' summary: 'Returns a list of label names using POST' description: | Submit parameters in the request body using URL-encoded form parameters to retrieve a list of label names. Please ensure to change the region in the URL to match your account's region. tags: - Labels consumes: - application/x-www-form-urlencoded parameters: - in: formData name: start type: 'string' required: false description: 'Start timestamp, inclusive, as an RFC3339 or Unix timestamp. Optional.' - in: formData name: end type: 'string' required: false description: 'End timestamp, inclusive, as an RFC3339 or Unix timestamp. Optional.' - in: formData name: 'match[]' type: 'array' required: false items: type: 'string' collectionFormat: multi description: 'Series selector to narrow down the series from which to read the label names. Optional.' - in: formData name: limit type: 'integer' required: false description: 'Maximum number of label names to return. Optional.' responses: 200: description: 'Successful retrieval of label names.' schema: $ref: '#/definitions/LabelNamesResult' 400: description: 'Invalid request parameters.' 500: description: 'Internal server error.' /v1/metrics/prometheus/api/v1/label/{label_name}/values: get: operationId: 'GetLabelValues' summary: 'Returns a list of label values for a provided label name' description: | Retrieves a list of all values associated with a specific label name, optionally filtered by time range and series selectors. Please ensure to change the region in the URL to match your account's region. tags: - Label Values parameters: - in: path name: label_name type: 'string' required: true description: 'The name of the label to retrieve values for.' - in: query name: start type: 'string' required: false description: 'Start timestamp, inclusive, as an RFC3339 or Unix timestamp. Optional.' - in: query name: end type: 'string' required: false description: 'End timestamp, inclusive, as an RFC3339 or Unix timestamp. Optional.' - in: query name: 'match[]' type: 'array' required: false items: type: 'string' collectionFormat: multi description: 'Series selector to narrow down the series from which to read the label values. Optional.' - in: query name: limit type: 'integer' required: false description: 'Maximum number of label values to return. Optional.' responses: 200: description: 'List of label values.' schema: $ref: '#/definitions/LabelValuesResult' 400: description: 'Invalid request parameters.' 500: description: 'Internal server error.' # ::::: Logz.io Dashboards - Dashboards /perses-public/api/v1/dashboards: get: summary: Get all dashboards description: | Retrieves a list of all dashboards. tags: - Dashboards get all parameters: - in: body type: 'string' required: false responses: '200': description: List of dashboards schema: type: array items: type: object properties: uid: type: string example: dashboard-1 schema: - name: title type: string example: CPU usage - name: panels type: string - name: refresh type: string example: 5s veersion: type: string example: 1.0.0 createdAt: type: string example: 2024-03-20T10:00:00Z /perses-public/api/v1/projects/{folderId}/dashboards/{uid}: get: summary: Get dashboard by ID description: | Retrieves a specific dashboard by its ID. tags: - Dashboards get by ID parameters: - in: path name: dashboardId type: string required: true description: The ID of the dashboard to retrieve. responses: '200': description: Dashboard details schema: type: object properties: uid: type: string example: dashboard-1 title: type: string example: CPU usage panels: type: string refresh: type: string example: 5s version: type: string example: 1.0.0 createdAt: type: string example: 2024-03-20T10:00:00Z /perses-public/api/v1/projects/{folderId}/dashboards: post: summary: Create a new dashboard description: | Creates a new dashboard in the specified folder. tags: - Dashboards create new parameters: - in: path name: folderId type: string required: true description: The ID of the folder where the dashboard will be created. - in: body name: body required: true schema: type: object properties: title: type: string example: CPU usage panels: type: string refresh: type: string example: 5s responses: '201': description: Created dashboard details schema: type: object properties: uid: type: string example: dashboard-1 /perses-public/api/v1/projects/{folderId}/dashboards/{uid}/: put: summary: Update an existing dashboard description: | Updates an existing dashboard in the specified folder. tags: - Dashboards update parameters: - in: path name: folderId type: string required: true description: The ID of the folder where the dashboard is located. - in: path name: uid type: string required: true description: The ID of the dashboard to update. - in: body name: body required: true schema: type: object properties: title: type: string example: CPU usage updated panels: type: string refresh: type: string example: 10s responses: '200': description: Updated dashboard details schema: type: object properties: uid: type: string example: dashboard-1 /perses-public/api/v1/projects/{folderId}/dashboards/{uid}/1: delete: summary: Delete a dashboard description: | Deletes a specific dashboard by its ID. tags: - Dashboards delete parameters: - in: path name: folderId type: string required: true description: The ID of the folder where the dashboard is located. - in: path name: uid type: string required: true description: The ID of the dashboard to delete. responses: '204': description: Dashboard deleted successfully '404': description: Dashboard not found /perses-public/api/v1/dashboards/move: post: summary: Move a dashboard to a different folder description: | Moves a dashboard to a different folder. tags: - Dashboards move parameters: - in: body name: body required: true schema: type: object properties: uid: type: string example: dashboard-1 targetFolderId: type: string example: folder-2 responses: '200': description: Dashboard moved successfully schema: type: object properties: uid: type: string example: dashboard-1 /perses-public/api/v1/dashboards/users: get: summary: Get dashboard by user description: | Retrieves a list of dashboards created by a specific user. tags: - Dashboards get by user parameters: - in: query name: userId type: string required: true description: The ID of the user whose dashboards are to be retrieved. responses: '200': description: List of dashboards by user schema: type: array items: type: object properties: uid: type: string example: dashboard-1 title: type: string example: CPU usage /perses-public/api/v1/globaldatasources: get: summary: Get all global data sources description: | Retrieves a list of all global data sources. tags: - Dashboards get all global data sources responses: '200': description: List of global data sources schema: type: array items: type: object properties: uid: type: string example: datasource-1 name: type: string example: Prometheus type: type: string example: prometheus # ::::: Logz.io Dashboards - Folders /perses-public/api/v1/projects: get: summary: Get all dashboards folders description: | Retrieves a list of all dashboard folders (projects). tags: - Dashboards get all folders parameters: - in: query name: withDashboards type: string required: false description: Include dashboard information in the response responses: '200': description: List of dashboard folders schema: type: array items: type: object properties: id: type: string example: folder-1 name: type: string example: system-metrics displayName: type: string example: System Metrics description: type: string example: System monitoring dashboards createdAt: type: string example: 2024-03-20T10:00:00Z /perses-public/api/v1/projects/: post: summary: Create dashboards folder description: | Creates a new folder (project) with the specified name. tags: - Dashboards create new folder parameters: - in: body name: body required: true schema: type: object properties: name: type: string description: The name of the folder to create. example: my-folder required: true responses: '201': description: Folder created successfully schema: type: object properties: id: type: string example: folder-1 /perses-public/api/v1/projects/{folderId}: delete: summary: Delete dashboard folder description: | Deletes a specific dashboard folder (project) by its ID. tags: - Dashboards delete folder parameters: - in: path name: folderId type: string required: true description: The ID of the folder to delete. responses: '204': description: Folder deleted successfully '404': description: Folder not found '401': description: Unauthorized access to delete folder '400': description: Bad request, invalid folder ID '403': description: Forbidden, insufficient permissions to delete folder '409': description: Conflict, folder is not empty or has dependencies '500': description: Internal server error, unable to delete folder /perses-public/api/v1/projects/{name}: get: summary: Get dashboard folder by name description: | Retrieves a specific dashboard folder (project) by its name. tags: - Dashboards get folder by name parameters: - in: path name: name type: string required: true description: The name of the folder to retrieve. responses: '200': description: Folder details schema: type: object properties: id: type: string example: folder-1 name: type: string example: my-folder displayName: type: string example: My Folder description: type: string example: This is my dashboard folder createdAt: type: string example: 2024-03-20T10:00:00Z /perses-public/api/v1/projects/{folderId}/rename: put: summary: Rename dashboard folder description: | Renames an existing dashboard folder (project) with the specified name. tags: - Dashboards rename folder parameters: - in: path name: folderId type: string required: true description: The ID of the folder to rename. - in: body name: body required: true schema: type: object properties: newName: type: string description: The new name for the folder. example: my-new-folder required: true responses: '200': description: Folder renamed successfully schema: type: object properties: id: type: string example: folder-1 name: type: string example: my-new-folder /perses-public/api/v1/projects/search: get: summary: Search dashboard folders description: | Searches for dashboard folders (projects) by name. tags: - Dashboards search folder parameters: - in: query name: query type: string required: true description: The search query to filter folders by name. - in: query name: limit type: integer required: false description: Maximum number of folders to return (default is 1000) example: 1000 - in: query name: page type: integer required: false description: Page number for fetching folders from other than the first one example: 1 - in: query name: sort type: string required: false description: Sort criteria for the results (e.g., 'asc', 'desc') example: asc responses: '200': description: List of matching folders content: application/json: schema: type: array items: type: object properties: id: type: string example: folder-1 name: type: string example: my-folder /perses-public/api/v1/projects/{name}1: put: summary: Update dashboard folder description: | Updates an existing dashboard folder (project) with the specified name. tags: - Dashboards update folder parameters: - in: path name: name type: string required: true description: The name of the folder to update. - in: body name: body required: true schema: type: object properties: displayName: type: string description: The new display name for the folder. example: My Updated Folder description: type: string description: The new description for the folder. example: This is my updated dashboard folder responses: '200': description: Folder updated successfully schema: type: object properties: id: type: string example: folder-1 name: type: string example: my-folder # ::::: GRAFANA paths: /v1/grafana/api/folders: get: summary: Get all folders operationId: getAllFolders description: | Returns all folders the authenticated user can view. Make sure the region in the URL matches your account's region. tags: [Grafana Folders] parameters: - name: limit in: query description: Maximum number of folders to return (default 1000) type: integer - name: page in: query description: Page number (starts at 1) type: integer - name: parentUid in: query description: Parent folder UID to fetch subfolders type: string responses: '200': description: List of folders schema: type: array items: type: object properties: id: { type: integer } uid: { type: string } title: { type: string } post: summary: Create a new Grafana folder operationId: createNewGrafanaFolder description: | Creates a new folder. Make sure the region in the URL matches your account's region. tags: [Grafana Folders] parameters: - in: body name: body required: true schema: type: object required: [title] properties: title: type: string example: My New Folder uid: type: string overwrite: type: boolean example: false responses: '200': description: Folder created schema: type: object properties: id: { type: integer } uid: { type: string } title: { type: string } url: { type: string } created: { type: string, format: date-time } updated: { type: string, format: date-time } version: { type: integer, format: int64 } additionalProperties: true /v1/grafana/api/folders/{uid}: parameters: - in: path name: uid type: string required: true description: The UID of the folder get: summary: Get Grafana folder by UID operationId: getGrafanaFolderByUid tags: [Grafana Folders] description: | Returns a single folder by UID. Make sure the region in the URL matches your account's region. responses: '200': description: Folder details schema: type: object properties: id: { type: integer } uid: { type: string } title: { type: string } url: { type: string } created: { type: string, format: date-time } updated: { type: string, format: date-time } createdBy: { type: string } updatedBy: { type: string } version: { type: integer, format: int64 } put: summary: Update a Grafana folder by UID operationId: updateGrafanaFolderByUid tags: [Grafana Folders] description: | Updates a folder by UID. Make sure the region in the URL matches your account's region. parameters: - in: body name: body required: true schema: type: object required: [title] properties: uid: type: string description: The UID of the folder example: "my-folder-uid" title: type: string description: The title of the folder example: Updated Folder Title overwrite: type: boolean description: Whether to overwrite if folder exists example: false responses: '200': description: Folder updated schema: type: object properties: id: type: integer description: The numeric ID of the folder example: 123 uid: type: string description: The UID of the folder example: "my-folder-uid" title: type: string description: The title of the folder example: "Updated Folder Title" url: type: string description: The URL path to the folder example: "/dashboards/f/my-folder-uid/updated-folder-title" created: type: string format: date-time description: ISO timestamp when the folder was created example: "2024-01-15T10:30:00Z" updated: type: string format: date-time description: ISO timestamp when the folder was last updated example: "2024-01-16T14:45:30Z" version: type: integer description: The version number of the folder example: 2 delete: summary: Delete a Grafana folder by UID operationId: deleteGrafanaFolderByUid tags: [Grafana Folders] description: | Deletes a folder by UID. Make sure the region in the URL matches your account's region. responses: '204': description: Folder deleted '404': description: Folder not Found '400': description: Folder is not empty schema: type: object properties: message: type: string example: "Folder cannot be deleted: folder is not empty" messageId: type: string example: "folder.not-empty" /v1/grafana/api/v1/provisioning/contact-points: get: operationId: RouteGetContactpoints summary: Get all contact points description: | Get all contact points. Please ensure to change the region in the URL to match your account's region. tags: - Grafana contact points parameters: - in: query name: name type: string schema: description: >- Name to filter by. responses: 200: description: ContactPoints schema: type: array items: type: object properties: disableResolveMessage: type: boolean name: type: string example: webhook_1 provenance: type: string example: string settings: type: object properties: type: type: string example: webhook uid: type: string example: my_external_reference post: operationId: RoutePostContactpoints summary: Create a contact point description: | Create a contact point. Please ensure to change the region in the URL to match your account's region. tags: - Grafana contact points parameters: - in: body name: body schema: type: object properties: disableResolveMessage: type: boolean name: type: string example: webhook_1 settings: type: object properties: type: type: string example: webhook uid: type: string example: my_external_reference responses: 202: description: ContactPoints schema: type: object properties: definitions: disableResolveMessage: type: boolean name: type: string example: webhook_1 provenance: type: string example: string settings: type: object properties: type: type: string example: webhook uid: type: string example: my_external_reference 400: description: Not Found schema: type: object properties: message: type: string example: Error message /v1/grafana/api/v1/provisioning/contact-points/<>: delete: operationId: RouteDeleteContactpoints summary: Delete a contact point description: | Delete a contact point. Please ensure to change the region in the URL to match your account's region. tags: - Grafana contact points parameters: - in: path name: UID type: string required: true schema: description: >- Contact point unique identifier. responses: 204: description: Not Found schema: type: object properties: message: type: string example: The contact point was deleted successfully. put: operationId: RouteUpdateContactpoints summary: Update a contact point description: | Update a contact point. Please ensure to change the region in the URL to match your account's region. tags: - Grafana contact points parameters: - in: path name: UID type: string required: true schema: description: >- Contact point unique identifier. - in: body name: body schema: type: object properties: disableResolveMessage: type: boolean name: type: string example: webhook_1 settings: type: object properties: type: type: string example: webhook uid: type: string example: my_external_reference responses: 202: description: Not Found schema: type: object properties: message: type: string example: The contact point was deleted successfully. 204: description: Acknowledged schema: type: object properties: 400: description: Not Found schema: type: object properties: message: type: string example: Validator error. /v1/grafana/api/v1/provisioning/policies: delete: operationId: RouteResetPolicyTree summary: Clears the notification policy tree description: | Clears the notification policy tree. Please ensure to change the region in the URL to match your account's region. tags: - Grafana contact points responses: 202: description: Not Found schema: type: object properties: message: type: string example: The contact point was deleted successfully. get: operationId: RouteGetPolicyTree summary: Get notification policy tree description: | Get notification policy tree. Please ensure to change the region in the URL to match your account's region. tags: - Grafana contact points responses: 202: description: Not Found schema: type: object properties: continue: type: boolean group_by: type: array items: type: string example: string group_interval: type: string example: string group_wait: type: string example: string match: type: object properties: additionalProp1: type: string example: string additionalProp2: type: string example: string additionalProp3: type: string example: string match_re: type: object properties: additionalProp1: type: object properties: additionalProp2: type: object properties: additionalProp3: type: object properties: matchers: type: array items: type: object properties: Name: type: string example: string Type: type: integer format: int32 example: 0 Value: type: string example: string mute_time_intervals: type: array items: type: string example: string object_matchers: type: array items: type: object properties: Name: type: string example: string Type: type: integer format: int32 example: 0 Value: type: string example: string provenance: type: string example: string receiver: type: string example: string repeat_interval: type: string example: string routes: type: array items: type: string example: string put: operationId: RouteSetPolicyTree summary: Set notification policy tree description: | Set notification policy tree. Please ensure to change the region in the URL to match your account's region. tags: - Grafana contact points parameters: - in: body name: body schema: type: object properties: continue: type: boolean group_by: type: array items: type: string example: string group_interval: type: string example: string group_wait: type: string example: string match: type: object properties: additionalProp1: type: string example: string additionalProp2: type: string example: string additionalProp3: type: string example: string match_re: type: object properties: additionalProp1: type: object properties: additionalProp2: type: object properties: additionalProp3: type: object properties: matchers: type: array items: type: object properties: Name: type: string example: string Type: type: integer format: int32 example: 0 Value: type: string example: string mute_time_intervals: type: array items: type: string example: string object_matchers: type: array items: type: object properties: Name: type: string example: string Type: type: integer format: int32 example: 0 Value: type: string example: string provenance: type: string example: string receiver: type: string example: string repeat_interval: type: string example: string routes: type: array items: type: string example: string responses: 202: description: Not Found schema: type: object properties: message: type: string example: The contact point was deleted successfully. 400: description: Not Found schema: type: object properties: message: type: string example: Validator error. /v1/grafana/api/datasources/summary: get: operationId: getAllDatasources summary: Return a list of data sources description: | Return a list of data sources for all accounts under the API token provided. Please ensure to change the region in the URL to match your account's region. tags: - Grafana data source responses: 200: description: successful query schema: type: array items: type: object properties: id: type: integer example: 123 description: Data source Id uid: type: string example: DCFaFyDnk description: Data source UID name: type: string example: cluster6_metrics description: Data source name type: type: string example: prometheus description: Enum for the data source type. Can be eithern prometheus or elasticsearch. database: type: string example: 123456 description: Metrics account ID 404: description: Not Found schema: type: object properties: message: type: string example: Data source not found. /v1/grafana/api/datasources/name/{metric_account_name}/summary: get: operationId: getDatasourceByAccount summary: Get a data source for a given account description: | Get a data source for a given account. Please ensure to change the region in the URL to match your account's region. tags: - Grafana data source parameters: - in: path name: metric_account_name type: string schema: description: >- Logz.io metric account name responses: 200: description: successful query schema: type: object properties: id: type: integer example: 123 description: Data source Id uid: type: string example: DCFaFyDnk description: Data source UID name: type: string example: cluster6_metrics description: Data source name type: type: string example: prometheus description: Enum for the data source type. Can be eithern prometheus or elasticsearch. database: type: string example: 123456 description: Metrics account ID 404: description: Not Found schema: type: object properties: message: type: string example: Data source not found. /v1/grafana/api/v1/provisioning/alert-rules: get: operationId: getAlertRules summary: Return a list of all alerts description: | Returns a list of all alerts. Please ensure to change the region in the URL to match your account's region. tags: - Grafana alerting provisioning parameters: - in: query name: panelId type: integer schema: description: >- Id of a specific panel to return in results. - in: query name: dashboardUid type: integer schema: description: >- Id of a specific dashboard to return in results. responses: 200: description: successful query schema: type: object properties: annotations: type: object description: Annotations for the dashboard properties: runbook_url: type: string description: URL to the runbook example: https://supercoolrunbook.com/page/13 condition: type: string description: Condition example: A data: type: array description: Response wrapper for the data retrieved items: type: object description: Data items retrieved properties: datasourceUid: type: string description: Grafana data source unique identifier example: -100 model: type: object description: JSON is the raw JSON query and includes the model properties as well as custom properties. properties: conditions: type: array items: type: object properties: evaluator: type: object properties: params: type: array items: type: integer format: int32 example: 0 type: type: string example: gt operator: type: object properties: type: type: string example: and query: type: object properties: params: type: array items: reducer: type: object properties: params: type: array items: type: type: string example: avg type: type: string example: query datasource: type: object properties: type: type: string example: __expr__ uid: type: string example: __expr__ expression: type: string example: 1 == 1 hide: type: boolean intervalMs: type: integer format: int32 example: 1000 maxDataPoints: type: integer format: int32 example: 43200 refId: type: string example: A type: type: string example: math queryType: type: string description: Optional identifier for the type of query example: refId: type: string description: Unique identifier of the query, set by the frontend call. example: A relativeTimeRange: type: object description: Per query start and end time for requests properties: from: type: integer format: int32 example: 0 to: type: integer format: int32 example: 0 execErrState: type: string example: Alerting folderUID: type: string description: The unique identifier (uid) of a folder to search in for dashboards. You cannot use `General` folder or the folder generated by logz.io - `Logz.io Dashboards` - to place your alerts. example: project_x for: type: integer format: int32 example: 0 id: type: integer format: int32 example: 0 labels: type: object properties: team: type: string example: sre-team-1 noDataState: type: string example: Alerting orgID: type: integer format: int32 example: 0 provenance: type: string example: string ruleGroup: type: string example: eval_group_1 title: type: string example: Always firing uid: type: string example: string updated: type: string example: 2022-08-16T11:07:04.763Z post: operationId: AlertRules summary: Create a new alert rule description: | Creates a new alert rule. Please ensure to change the region in the URL to match your account's region. tags: - Grafana alerting provisioning parameters: - in: body name: body schema: type: object properties: annotations: type: object properties: runbook_url: type: string example: https://supercoolrunbook.com/page/13 condition: type: string example: A data: type: array items: type: object required: - datasourceUid properties: datasourceUid: type: string example: -100 model: type: object properties: conditions: type: array items: type: object properties: evaluator: type: object properties: params: type: array items: type: integer format: int32 example: 0 type: type: string example: gt operator: type: object properties: type: type: string example: and query: type: object properties: params: type: array items: reducer: type: object properties: params: type: array items: type: type: string example: avg type: type: string example: query datasource: type: object properties: type: type: string example: __expr__ uid: type: string example: __expr__ expression: type: string example: 1 == 1 hide: type: boolean intervalMs: type: integer format: int32 example: 1000 maxDataPoints: type: integer format: int32 example: 43200 refId: type: string example: A type: type: string example: math queryType: type: string example: refId: type: string example: A relativeTimeRange: type: object properties: from: type: integer format: int32 example: 0 to: type: integer format: int32 example: 0 execErrState: type: string example: Alerting folderUID: type: string description: The unique identifier (uid) of a folder to search in for dashboards. You cannot use `General` folder or the folder generated by logz.io - `Logz.io Dashboards` - to place your alerts. example: project_x for: type: integer format: int32 example: 0 id: type: integer format: int32 example: 0 labels: type: object properties: team: type: string example: sre-team-1 noDataState: type: string example: Alerting provenance: type: string example: string ruleGroup: type: string example: eval_group_1 title: type: string example: Always firing uid: type: string example: string responses: 200: description: successful query schema: type: object properties: annotations: type: object properties: runbook_url: type: string example: https://supercoolrunbook.com/page/13 condition: type: string example: A data: type: array items: type: object properties: datasourceUid: type: string example: -100 model: type: object properties: conditions: type: array items: type: object properties: evaluator: type: object properties: params: type: array items: type: integer format: int32 example: 0 type: type: string example: gt operator: type: object properties: type: type: string example: and query: type: object properties: params: type: array items: reducer: type: object properties: params: type: array items: type: type: string example: avg type: type: string example: query datasource: type: object properties: type: type: string example: __expr__ uid: type: string example: __expr__ expression: type: string example: 1 == 1 hide: type: boolean intervalMs: type: integer format: int32 example: 1000 maxDataPoints: type: integer format: int32 example: 43200 refId: type: string example: A type: type: string example: math queryType: type: string example: refId: type: string example: A relativeTimeRange: type: object properties: from: type: integer format: int32 example: 0 to: type: integer format: int32 example: 0 execErrState: type: string example: Alerting folderUID: type: string description: The unique identifier (uid) of a folder to search in for dashboards. You cannot use `General` folder or the folder generated by logz.io - `Logz.io Dashboards` - to place your alerts. example: project_x for: type: integer format: int32 example: 0 id: type: integer format: int32 example: 0 labels: type: object properties: team: type: string example: sre-team-1 noDataState: type: string example: Alerting orgID: type: integer format: int32 example: 0 provenance: type: string example: string ruleGroup: type: string example: eval_group_1 title: type: string example: Always firing uid: type: string example: string updated: type: string example: 2022-08-16T13:09:06.350Z /v1/grafana/api/v1/provisioning/alert-rules/<>: get: operationId: getAlertRulesByUID summary: Return a list of all alerts by UID description: | Returns a list of all alerts by a UID. Please ensure to change the region in the URL to match your account's region. tags: - Grafana alerting provisioning parameters: - in: path name: UID type: string schema: description: >- Alert rule UID. responses: 200: description: successful query schema: type: object properties: annotations: type: object properties: runbook_url: type: string example: https://supercoolrunbook.com/page/13 condition: type: string example: A data: type: array items: type: object properties: datasourceUid: type: string example: -100 model: type: object properties: conditions: type: array items: type: object properties: evaluator: type: object properties: params: type: array items: type: integer format: int32 example: 0 type: type: string example: gt operator: type: object properties: type: type: string example: and query: type: object properties: params: type: array items: reducer: type: object properties: params: type: array items: type: type: string example: avg type: type: string example: query datasource: type: object properties: type: type: string example: __expr__ uid: type: string example: __expr__ expression: type: string example: 1 == 1 hide: type: boolean intervalMs: type: integer format: int32 example: 1000 maxDataPoints: type: integer format: int32 example: 43200 refId: type: string example: A type: type: string example: math queryType: type: string example: refId: type: string example: A relativeTimeRange: type: object properties: from: type: integer format: int32 example: 0 to: type: integer format: int32 example: 0 execErrState: type: string example: Alerting folderUID: type: string description: The unique identifier (uid) of a folder to search in for dashboards. You cannot use `General` folder or the folder generated by logz.io - `Logz.io Dashboards` - to place your alerts. example: project_x for: type: integer format: int32 example: 0 id: type: integer format: int32 example: 0 labels: type: object properties: team: type: string example: sre-team-1 noDataState: type: string example: Alerting orgID: type: integer format: int32 example: 0 provenance: type: string example: string ruleGroup: type: string example: eval_group_1 title: type: string example: Always firing uid: type: string example: string updated: type: string example: 2022-08-16T13:09:06.350Z put: operationId: putAlertRulesByUID summary: Amend an alert by UID description: | Amend an alert by UID. Please ensure to change the region in the URL to match your account's region. tags: - Grafana alerting provisioning parameters: - in: path name: UID type: string schema: description: >- Alert rule UID. - in: body name: body schema: type: object properties: annotations: type: object properties: runbook_url: type: string example: https://supercoolrunbook.com/page/13 condition: type: string example: A data: type: array items: type: object properties: datasourceUid: type: string example: -100 model: type: object properties: conditions: type: array items: type: object properties: evaluator: type: object properties: params: type: array items: type: integer format: int32 example: 0 type: type: string example: gt operator: type: object properties: type: type: string example: and query: type: object properties: params: type: array items: reducer: type: object properties: params: type: array items: type: type: string example: avg type: type: string example: query datasource: type: object properties: type: type: string example: __expr__ uid: type: string example: __expr__ expression: type: string example: 1 == 1 hide: type: boolean intervalMs: type: integer format: int32 example: 1000 maxDataPoints: type: integer format: int32 example: 43200 refId: type: string example: A type: type: string example: math queryType: type: string example: refId: type: string example: A relativeTimeRange: type: object properties: from: type: integer format: int32 example: 0 to: type: integer format: int32 example: 0 execErrState: type: string example: Alerting folderUID: type: string description: The unique identifier (uid) of a folder to search in for dashboards. You cannot use `General` folder or the folder generated by logz.io - `Logz.io Dashboards` - to place your alerts. example: project_x for: type: integer format: int32 example: 0 id: type: integer format: int32 example: 0 labels: type: object properties: team: type: string example: sre-team-1 noDataState: type: string example: Alerting orgID: type: integer format: int32 example: 0 provenance: type: string example: string ruleGroup: type: string example: eval_group_1 title: type: string example: Always firing uid: type: string example: string responses: 200: description: successful query schema: type: object properties: annotations: type: object properties: runbook_url: type: string example: https://supercoolrunbook.com/page/13 condition: type: string example: A data: type: array items: type: object properties: datasourceUid: type: string example: -100 model: type: object properties: conditions: type: array items: type: object properties: evaluator: type: object properties: params: type: array items: type: integer format: int32 example: 0 type: type: string example: gt operator: type: object properties: type: type: string example: and query: type: object properties: params: type: array items: reducer: type: object properties: params: type: array items: type: type: string example: avg type: type: string example: query datasource: type: object properties: type: type: string example: __expr__ uid: type: string example: __expr__ expression: type: string example: 1 == 1 hide: type: boolean intervalMs: type: integer format: int32 example: 1000 maxDataPoints: type: integer format: int32 example: 43200 refId: type: string example: A type: type: string example: math queryType: type: string example: refId: type: string example: A relativeTimeRange: type: object properties: from: type: integer format: int32 example: 0 to: type: integer format: int32 example: 0 execErrState: type: string example: Alerting folderUID: type: string description: The unique identifier (uid) of a folder to search in for dashboards. You cannot use `General` folder or the folder generated by logz.io - `Logz.io Dashboards` - to place your alerts. example: project_x for: type: integer format: int32 example: 0 id: type: integer format: int32 example: 0 labels: type: object properties: team: type: string example: sre-team-1 noDataState: type: string example: Alerting orgID: type: integer format: int32 example: 0 provenance: type: string example: string ruleGroup: type: string example: eval_group_1 title: type: string example: Always firing uid: type: string example: string updated: type: string example: 2022-08-16T14:04:25.062Z delete: operationId: deleteAlertRulesByUID summary: Delete alert rule by UID description: | Deletes the annotation that matches the specified id. Please ensure to change the region in the URL to match your account's region. tags: - Grafana annotations parameters: - in: path name: UID type: string schema: description: >- Alert rule UID. responses: 200: description: successful query schema: type: object properties: message: type: string description: Confirmation message. example: Annotation deleted # ::::: Silences /v1/grafana/api/alertmanager/grafana/api/v2/silences/: get: operationId: getAllSilences summary: Retrieve all silences description: | Retrieve a list of all existing silences, including their ID, status, and additional details. tags: - Grafana silence management parameters: - in: body name: body required: false schema: $ref: '#/definitions/SilenceGetAll' responses: 200: description: successful operation schema: $ref: '#/definitions/SilenceGetAll' /v1/grafana/api/alertmanager/grafana/api/v2/silences: post: operationId: createNewSilence summary: Create new silence description: | Create a new silence to temporarily suppress alerts based on specified matchers and duration. tags: - Grafana silence management parameters: - in: body name: body required: false schema: $ref: '#/definitions/SilenceCreate' responses: 200: description: The silence was successfully created. 400: description: The request body is invalid or missing required fields. /v1/grafana/api/alertmanager/grafana/api/v2/silence/<>: delete: operationId: deleteSilence summary: Delete a silence description: | Remove an existing silence to resume alert notifications for the affected matchers. tags: - Grafana silence management parameters: - in: path name: UID type: string required: true schema: description: >- Unique identifier of the silence. responses: 200: description: The silence was successfully deleted. 400: description: The specified silence UID does not exist. /v1/grafana/api/annotations/: get: operationId: getAnnotations summary: Find annotations description: | Searches for annotations in the Grafana database. Please ensure to change the region in the URL to match your account's region. tags: - Grafana annotations parameters: - in: query name: from type: integer schema: description: >- Epoch datetime in milliseconds. Optional. - in: query name: to type: integer schema: description: >- Epoch datetime in milliseconds. Optional. - in: query name: limit type: integer schema: description: >- Optional - default is 100. Max limit for results returned. - in: query name: alertId type: integer schema: description: >- Optional. Find annotations for a specified alert. - in: query name: dashboardId type: integer schema: description: >- Optional. Find annotations that are scoped to a specific dashboard - in: query name: panelId type: integer schema: description: >- Optional. Find annotations that are scoped to a specific panel - in: query name: userId type: integer schema: description: >- Optional. Find annotations created by a specific user - in: query name: type type: string schema: description: >- Optional. Return alerts or user created annotations - in: query name: tags type: string schema: description: >- Optional. Use this to filter global annotations. Global annotations are annotations from an annotation data source that are not connected specifically to a dashboard or panel. To do an “AND” filtering with multiple tags, specify the tags parameter multiple times e.g. tags=tag1&tags=tag2. responses: 200: description: successful query schema: type: object properties: id: type: integer description: ID. example: 1 dashboardId: type: integer description: Dashboard ID. example: 1 dashboardUId: type: string description: Dashboard UID. example: "ABcdEFghij" dashboardSlug: type: string description: Dashboard slug. example: "sensors" panelId: type: integer description: Panel ID. example: 1 name: type: string description: Dashboard name. example: "fire place sensor" state: type: string description: Dashboard state. example: "alerting" newStateDate: type: string description: Date of the new state. example: "2018-05-14T05:55:20+02:00" evalDate: type: string description: Evaluation date. example: "0001-01-01T00:00:00Z" evalData: type: array description: Evaluation data. items: type: string executionError: type: string description: Execution error, if present example: "" url: type: string description: Dashboard url. example: "http://grafana.com/dashboard/db/sensors" post: operationId: createAnnotations summary: Create annotations description: | Creates an annotation in the Grafana database. Please ensure to change the region in the URL to match your account's region. tags: - Grafana annotations parameters: - in: body name: body schema: type: object properties: dashboardId: type: integer description: Id of the dashboard. The dashboardId and panelId fields are optional. If they are not specified then a global annotation is created and can be queried in any dashboard that adds the Grafana annotations data source. panelId: type: integer description: Id of the panel. The dashboardId and panelId fields are optional. If they are not specified then a global annotation is created and can be queried in any dashboard that adds the Grafana annotations data source. time: type: integer description: Epoch time in milliseconds. timeEnd: type: integer description: Epoch time in milliseconds. tags: type: array description: Annotation tags. items: type: string example: tag1 text: type: string description: Annotation Description. responses: 200: description: successful query schema: type: object properties: id: type: integer description: ID. example: 1 message: type: string description: Confirmation message. example: Annotation added /v1/grafana/api/annotations/graphite: post: operationId: createAnnotationsGraphite summary: Create annotations in Graphite format description: | Creates an annotation in the Grafana database by using Graphite-compatible event format. Please ensure to change the region in the URL to match your account's region. tags: - Grafana annotations parameters: - in: body name: body schema: type: object properties: what: type: string description: Graphite annotation. example: Event - deploy when: type: integer description: Epoch datetime of the annotation in milliseconds. Optional. If `when` is not specified then the current time will be used as annotation’s timestamp.. tags: type: array description: Annotation tags. Can also be in prior to Graphite 0.10.0 format (string with multiple tags being separated by a space). example: ["deploy", "production"] items: type: string data: type: string description: Annotation Description. example: deploy of master branch happened at Wed Jul 6 22:34:41 UTC 2016 responses: 200: description: successful query schema: type: object properties: id: type: integer description: ID. example: 1 message: type: string description: Confirmation message. example: Graphite annotation added /v1/grafana/api/annotations/:id: put: operationId: updateAnnotations summary: Update annotations description: | Updates an annotation in the Grafana database. Please ensure to change the region in the URL to match your account's region. tags: - Grafana annotations parameters: - in: path name: id type: integer schema: description: >- Id of the annotation. - in: body name: body schema: type: object properties: time: type: integer description: Epoch time in milliseconds. timeEnd: type: integer description: Epoch time in milliseconds. example: Event - deploy text: type: string description: Annotation Description. tags: type: attay description: Tags. example: ["tag3","tag4","tag5"] items: type: string responses: 200: description: successful query schema: type: object properties: message: type: string description: Confirmation message. example: Annotation updated patch: operationId: patchAnnotations summary: Patch annotations description: | Updates one or more properties of an annotation that matches the specified id. This operation currently supports updating of the text, tags, time and timeEnd properties. Please ensure to change the region in the URL to match your account's region. tags: - Grafana annotations parameters: - in: path name: id type: integer schema: description: >- Id of the annotation. - in: body name: body schema: type: object properties: text: type: string description: Annotation Description. tags: type: attay description: Tags. items: type: string responses: 200: description: successful query schema: type: object properties: message: type: string description: Confirmation message. example: Annotation patched delete: operationId: deleteAnnotations summary: Delete annotation by id description: | Deletes the annotation that matches the specified id. Please ensure to change the region in the URL to match your account's region. tags: - Grafana annotations parameters: - in: path name: id type: integer schema: description: >- Id of the annotation. responses: 200: description: successful query schema: type: object properties: message: type: string description: Confirmation message. example: Annotation deleted /v1/grafana/api/annotations/tags: get: operationId: getAnnotationsTags summary: Get event tags created in annotations description: | Searches for event tags in annotations in the Grafana database. Please ensure to change the region in the URL to match your account's region. tags: - Grafana annotations parameters: - in: query name: tag type: string schema: description: >- Tag. Optional. - in: query name: limit type: integer schema: description: >- Optional. A number, where the default is 100. Max limit for results returned. responses: 200: description: successful query schema: type: object properties: result: type: object description: Query result. properties: tags: type: object description: Tags retrieved by the query. properties: tag: type: string description: Tag. example: outage count: type: integer description: Tags count. example: 1 /v1/grafana/api/dashboards/db: post: operationId: createDashboard summary: Create/update a dashboard description: | Creates or updates a new dashboard or updates an existing dashboard. Please ensure to change the region in the URL to match your account's region. tags: - Grafana dashboards parameters: - in: body type: object schema: properties: dashboard: type: object description: The complete dashboard model, to create a new dashboard. properties: id: type: integer description: Nullable to create a new dashboard. example: 1 uid: type: integer description: Optional unique identifier when creating a dashboard. will generate a new uid. example: 1 panels: type: array items: type: object properties: alert: type: object properties: alertRuleTags: type: object conditions: type: array items: type: object properties: evaluator: type: object properties: params: type: array items: type: integer format: int32 type: type: string operator: type: object properties: type: type: string query: type: object properties: params: type: array items: type: string reducer: type: object properties: params: type: array items: type: type: string type: type: string executionErrorState: type: string for: type: string frequency: type: string handler: type: integer format: int32 name: type: string noDataState: type: string notifications: type: array items: aliasColors: type: object properties: bars: type: boolean dashLength: type: integer format: int32 dashes: type: boolean datasource: type: string format: nullable fieldConfig: type: object properties: defaults: type: object properties: custom: type: object properties: overrides: type: array items: fill: type: integer format: int32 fillGradient: type: integer format: int32 gridPos: type: object properties: h: type: integer format: int32 w: type: integer format: int32 x: type: integer format: int32 y: type: integer format: int32 hiddenSeries: type: boolean id: type: integer format: int32 legend: type: object properties: avg: type: boolean current: type: boolean max: type: boolean min: type: boolean show: type: boolean total: type: boolean values: type: boolean lines: type: boolean linewidth: type: integer format: int32 nullPointMode: type: string options: type: object properties: dataLinks: type: array items: percentage: type: boolean pointradius: type: integer format: int32 points: type: boolean renderer: type: string seriesOverrides: type: array items: spaceLength: type: integer format: int32 stack: type: boolean steppedLine: type: boolean targets: type: array items: type: object properties: refId: type: string scenarioId: type: string thresholds: type: array items: type: object properties: colorMode: type: string fill: type: boolean line: type: boolean op: type: string value: type: integer format: int32 timeFrom: type: string format: nullable timeRegions: type: array items: timeShift: type: string format: nullable title: type: string tooltip: type: object properties: shared: type: boolean sort: type: integer format: int32 value_type: type: string type: type: string xaxis: type: object properties: buckets: type: string format: nullable mode: type: string name: type: string format: nullable show: type: boolean values: type: array items: yaxes: type: array items: type: object properties: format: type: string label: type: string format: nullable logBase: type: integer format: int32 max: type: string format: nullable min: type: string format: nullable show: type: boolean yaxis: type: object properties: align: type: boolean alignLevel: type: string format: nullable title: type: string example: Production Overview tags: type: array items: type: string example: tag3 timezone: type: string example: browser schemaVersion: type: integer example: 1 version: type: integer example: 0 refresh: type: string description: Set the dashboard refresh interval. If this is lower than the minimum refresh interval, then Grafana will ignore it and will enforce the minimum refresh interval. example: 25s folderId: type: integer description: The id of the folder to save the dashboard in. example: 1 folderUid: type: string description: The unique identifier (uid) of a folder to search in for dashboards. You cannot use `General` folder or the folder generated by logz.io - `Logz.io Dashboards` - to place your alerts. example: l3KqBxCMz message: type: string description: Set a commit message for the version history. example: Made changes to xyz overwrite: description: Set to true if you want to overwrite existing dashboard with newer version, same dashboard title in folder or same dashboard uid. type: boolean responses: 200: description: successful query schema: type: object properties: id: type: integer example: 1 description: ID. uid: type: string example: cIBgcSjkk description: UID. url: type: string example: /d/cIBgcSjkk/production-overview description: URL. status: type: string example: success description: Request status. version: type: integer example: 1 description: Dashboard version. slug: type: string example: production-overview description: Dashboard slug. 412: description: failed schema: type: object properties: message: type: string example: The dashboard has been changed by someone else description: Error message. status: type: string example: version-mismatch description: Error status. /v1/grafana/api/dashboards/uid/<>: get: operationId: getDashboarById summary: Get dashboard by uid description: | Will return the dashboard given the dashboard unique identifier (uid). Information about the unique identifier of a folder containing the requested dashboard might be found in the metadata. Please ensure to change the region in the URL to match your account's region. tags: - Grafana dashboards parameters: - in: path name: uid type: string schema: description: >- Dashboard UID. responses: 200: description: success schema: type: object properties: dashboard: type: object description: The complete dashboard model, `id = null ` to create a new dashboard. properties: id: type: integer description: Set `id = null` to create a new dashboard. example: 1 uid: type: integer description: Optional unique identifier when creating a dashboard, `id = null` will generate a new uid. example: 1 title: type: string example: Production Overview description: Dashboard title. tags: type: array description: Dashboard tags. items: type: string example: tag3 timezone: type: string description: Timezone. example: browser schemaVersion: type: integer description: Schema version. example: 1 version: type: integer description: Dashboard version. example: 0 meta: type: object description: Information about the unique identifier of a folder containing the requested dashboard. properties: isStarred: type: boolean example: true description: Whether the dashboard is starred. url: type: string example: /d/cIBgcSjkk/production-overview description: Dashboard url. folderId: type: integer example: 2 description: Dashboard folder id. folderUid: type: string example: l3KqBxCMz description: The unique identifier (uid) of a folder to search in for dashboards. You cannot use `General` folder or the folder generated by logz.io - `Logz.io Dashboards` - to place your alerts. slug: type: string example: production-overview description: Dashboard slug. delete: operationId: deleteDashboarById summary: Delete dashboard by uid description: | Will delete the dashboard given the specified unique identifier (uid). Please ensure to change the region in the URL to match your account's region. tags: - Grafana dashboards parameters: - in: path name: uid type: string schema: description: >- Dashboard UID. responses: 200: description: success schema: type: object properties: title: type: object example: Production Overview description: Dashboard title. message: type: object description: Response message. id: type: integer example: 2 description: Dashboard id. /v1/grafana/api/dashboards/home: get: operationId: getHomeDashboard summary: Get home dashboard description: | Will return the home dashboard. Please ensure to change the region in the URL to match your account's region. tags: - Grafana dashboards responses: 200: description: success schema: type: object properties: dashboard: type: object description: The complete dashboard model, `id = null` to create a new dashboard. properties: editable: type: boolean example: false hideControls: type: integer example: false nav: type: object properties: enable: type: boolean example: false type: type: string example: timepicker style: type: string example: dark tags: type: object properties: tag: type: string example: outage templating: type: object properties: list: type: array items: type: string time: type: object timezone: type: string example: browser title: type: string example: Home version: type: integer example: 2 meta: type: object description: The complete dashboard model, `id = null` to create a new dashboard. properties: isHome: type: boolean example: true canSave: type: boolean example: false canEdit: type: boolean example: false canStar: type: boolean example: false url: type: string example: url expires: type: string example: 0001-01-01T00:00:00Z created: type: string example: 0001-01-01T00:00:00Z /v1/grafana/api/dashboards/tags: get: operationId: getDashboardTags summary: Get all tags of dashboards description: | Will return all tags for all dashboard. Please ensure to change the region in the URL to match your account's region. tags: - Grafana dashboards responses: 200: description: success schema: type: array items: type: object properties: term: type: string description: Tag term. example: tag1 count: type: string description: Tag count. example: count1 /v1/grafana/api/dashboards/id/:dashboardId/versions: get: operationId: getAllDashboardVersions summary: Get all dashboard versions description: | Gets all existing dashboard versions for the dashboard with the given dashboardId. Please ensure to change the region in the URL to match your account's region. tags: - Grafana dashboards parameters: - in: path name: dashboardId type: integer schema: description: >- Dashboard ID. - in: query name: limit type: integer schema: description: >- Maximum number of results to return. - in: query name: start type: integer schema: description: >- Version to start from when returning queries. responses: 200: description: success schema: type: object properties: id: type: integer description: ID. example: 1 dashboardId: type: integer description: Dashboard ID. example: 2 parentVersion: type: integer description: Dashboard parent version. example: 0 restoredFrom: type: integer description: Restored from. example: 0 version: type: integer description: Version. example: 2 created: type: integer description: Date created. example: 2017-06-08T17:24:33-04:00" createdBy: type: string description: Created by. example: admin message: type: string description: Message. example: Initial save /v1/grafana/api/dashboards/id/:dashboardId/versions/:id: get: operationId: getDashboardVersion summary: Get dashboard version description: | Get the dashboard version with the given id, for the dashboard with the given id. Please ensure to change the region in the URL to match your account's region. parameters: - in: path name: dashboardId type: integer schema: description: >- Dashboard ID. - in: path name: id type: integer schema: description: >- Version ID. tags: - Grafana dashboards responses: 200: description: success schema: type: object properties: id: type: integer description: ID. example: 1 dashboardId: type: integer description: Dashboard ID. example: 1 parentVersion: type: integer description: Parent version. example: 0 restoredFrom: type: integer description: Restored from. example: 0 version: type: integer description: Version. example: 1 created: type: string description: Creation date. example: 2017-04-26T17:18:38-04:00 message: type: string description: Message. example: Initial save data: type: object description: Data. properties: annotations: type: object description: Annotations. properties: list: type: array items: editable: type: boolean description: Whether the data is editable. gnetId: type: string description: Gnet Id. graphTooltip: type: integer description: Graph tooltip. example: 0 hideControls: type: boolean description: Whether to hide controls. id: type: integer description: ID. example: 1 links: type: array description: Links. items: rows: type: array description: Rows. items: type: object description: Items. properties: collapse: type: boolean description: Whether to collapse items. height: type: string description: Height. example: 250px panels: type: array description: Panels. items: repeat: type: string description: Repeat. repeatIteration: type: string description: Repeat iteration. repeatRowId: type: string description: Repeat row id. showTitle: type: boolean description: Whether to show title. title: type: string example: "Dashboard Row" description: Title. titleSize: type: string example: "h6" description: Title size. schemaVersion: type: integer example: "14" description: Schema version. style: type: string example: "dark" description: Style. tags: type: array items: description: Tags. templating: type: object description: Templating. properties: list: type: array items: time: type: object description: Time. properties: from: type: string description: From. example: "now-6h" to: type: string description: To. example: now timepicker: type: object description: Time picker. properties: refresh_intervals: type: array description: Refresh intervals. items: type: string example: "5s" time_options: type: array description: Time options. items: type: string example: "5m" timezone: type: string description: Time zone. example: browser title: type: string description: Title. example: test version: type: integer description: Version. example: 1 createdBy: type: string description: Created by. example: "admin" /v1/grafana/api/dashboards/id/:dashboardId/restore: post: operationId: restoreDashboard summary: Restore a dashboard description: | Restores a dashboard to a given dashboard version. Please ensure to change the region in the URL to match your account's region. tags: - Grafana dashboards parameters: - in: body type: object schema: properties: version: type: integer description: Dashboard version. - in: path name: dashboardId type: integer schema: description: >- Dashboard ID. responses: 200: description: successful query schema: type: object properties: slug: type: string description: Dashboard slug. example: production-overview status: type: string description: Dashboard status. example: success version: type: integer description: Dashboard version. example: 1 /v1/grafana/api/dashboards/calculate-diff: post: operationId: compareDashboard summary: Compare dashboards description: | Compares two dashboard versions by calculating the JSON diff of them. Please ensure to change the region in the URL to match your account's region. tags: - Grafana dashboards parameters: - in: body type: object schema: properties: base: type: object description: Object representing the base dashboard version. properties: dashboardId: type: integer example: 1 version: type: integer example: 1 new: type: object description: Object representing the new dashboard version properties: dashboardId: type: integer example: 1 version: type: integer example: 1 diffType: type: string description: the type of diff to return. Can be “json” or “basic”. responses: 200: description: successful query schema: type: object /v1/grafana/api/search/: get: operationId: searchDashboard summary: Search folders and dashboards description: | Search folders and dashboards. Please ensure to change the region in the URL to match your account's region. tags: - Grafana dashboard search parameters: - in: query name: query type: string schema: description: >- Search query. - in: query name: tag type: string schema: description: >- List of tags to search for. - in: query name: type type: string schema: description: >- Type to search for, dash-folder or dash-db. - in: query name: dashboardIds type: integer schema: description: >- List of dashboard id’s to search for. - in: query name: folderIds type: integer schema: description: >- List of folder id’s to search in for dashboards. - in: query name: starred type: boolean schema: description: >- Flag indicating if only starred Dashboards should be returned. - in: query name: limit type: integer schema: description: >- Limit the number of returned results (max 5000). - in: query name: page type: integer schema: description: >- Use this parameter to access hits beyond limit. Numbering starts at 1. limit param acts as page size. Only available in Grafana v6.2+. responses: 200: description: successful query schema: type: object properties: id: type: integer description: ID. example: 163 uid: type: string description: UID. example: "000000163" title: type: string description: Title. example: "Folder" url: type: string description: URL. example: "/dashboards/f/000000163/folder" type: type: string description: Type. example: "dash-folder" tags: type: array description: Tags. isStarred: type: boolean description: Whether the dashboard is starred. uri: type: string description: URI. example: "db/folder" /v1/grafana/api/dashboard/snapshots/: get: operationId: getGrafanaSnapshot summary: Get list of Snapshots description: | Get list of Snapshots. Note that snapshots are stored for 30 days and automatically deleted afterwards. Please ensure to change the region in the URL to match your account's region. tags: - Grafana snapshots parameters: - in: query name: query type: string schema: description: >- Search query. - in: query name: limit type: integer schema: description: >- Limit the number of returned results. responses: 200: description: successful query schema: type: object properties: id: type: integer description: ID. example: 8 name: type: string description: Snapshot name. example: Home key: type: string description: Snapshot key. example: YYYYYYY orgId: type: integer description: Snapshot orgId. example: 1 userId: type: integer description: Snapshot user ID. example: 1 external: type: boolean description: Whether the snapshot is external. externalUrl: type: string description: Snapshot external url. expires: type: string description: Snapshot expiry date. example: 2200-13-32T25:23:23+02:00 created: type: string description: Snapshot creation date. example: 2200-13-32T28:24:23+02:00 updated: type: string description: Snapshot update date. example: 2200-13-32T28:24:23+02:00 /v1/grafana/api/snapshots/: post: operationId: postGrafanaSnapshot summary: Create a snapshot description: | Creates a snapshot. Snapshots are stored for 30 days and automatically deleted afterwards. Please ensure to change the region in the URL to match your account's region. tags: - Grafana snapshots parameters: - in: body type: object schema: properties: dashboard: type: object required: true description: The complete dashboard model. name: type: string description: Snapshot name. expires: type: integer description: >- When the snapshot should expire in seconds. 3600 is 1 hour, 86400 is 1 day. Default is never to expire. external: type: boolean description: >- Save the snapshot on an external server rather than locally. Default is false. key: type: string description: >- Define the unique key. Required if external is true. deleteKey: type: string description: >- Unique key used to delete the snapshot. It is different from the key so that only the creator can delete the snapshot. Required if external is true. responses: 200: description: successful query schema: type: object properties: deleteKey: type: string description: Unique key used to delete the snapshot. It is different from the `key` so that only the creator can delete the snapshot. Required if external is `true`. example: XXXXXXX deleteUrl: type: string description: Delete url. example: myurl/api/snapshots-delete/XXXXXXX key: type: string description: Unique key. example: YYYYYYY url: type: string description: URL. example: myurl/dashboard/snapshot/YYYYYYY id: type: integer description: ID. example: 1 /v1/grafana/api/snapshots/:key/: get: operationId: getGrafanaSnapshotbyKey summary: Get Snapshot by Key. description: | Gets Snapshot by Key. Snapshots are stored for 30 days and automatically deleted afterwards. Please ensure to change the region in the URL to match your account's region. tags: - Grafana snapshots parameters: - in: path name: key type: string required: true responses: 200: description: successful query schema: type: object properties: meta: type: object properties: isSnapshot: type: boolean type: type: string example: snapshot canSave: type: boolean canEdit: type: boolean canStar: type: boolean slug: type: string example: expires: type: string example: 2200-13-32T25:23:23+02:00 created: type: string example: 2200-13-32T28:24:23+02:00 dashboard: type: object description: Dashboard. properties: editable: type: boolean description: Whether the dashboard is editable. hideControls: type: boolean description: Whether to hide controls. nav: type: array description: Nav. items: type: object properties: enable: type: boolean description: Nav enabled or not. type: type: string description: Nav type. example: timepicker rows: type: array description: Rows. items: type: object properties: style: type: string description: Style. example: dark tags: type: array description: Tags. items: templating: type: object description: Templating. properties: list: description: List. type: array items: time: type: object description: Time. properties: timezone: type: string description: Time zone. example: browser title: type: string description: Title. example: Home version: type: integer description: Dashboard version. example: 5 delete: operationId: deleteGrafanaSnapshotbyKey summary: Delete Snapshot by Key. description: >- Deletes snapshot by Key. Snapshots are stored for 30 days and automatically deleted afterwards. tags: - Grafana snapshots parameters: - in: path name: key type: string required: true responses: 200: description: successful query schema: type: object properties: message: type: string description: Message. example: Snapshot deleted. It might take an hour before it's cleared from any CDN caches. id: type: integer description: ID. example: 1 /v1/grafana/api/snapshots-delete/:deleteKey: get: operationId: deleteGrafanaSnapshotbyDeleteKey summary: Delete snapshot by deleteKey. description: | Delete snapshot by deleteKey. Note that snapshots are stored for 30 days and automatically deleted afterwards. Please ensure to change the region in the URL to match your account's region. tags: - Grafana snapshots parameters: - in: path name: deleteKey type: string required: true responses: 200: description: successful query schema: type: object properties: message: type: string description: Message. example: Snapshot deleted. It might take an hour before it's cleared from any CDN caches. id: type: integer description: ID. example: 1 /v1/osd/saved-objects/{object-type}/{object-id}: delete: summary: Remove a saved object description: Please ensure to change the region in the URL to match your account's region. tags: - Delete object API parameters: - in: path name: object-type required: true type: string description: The type of the saved object to remove. Valid options are "search", "visualization", and "dashboard". example: visualization - in: path name: object-id required: true type: string description: The ID of the saved object to remove. example: 7adfa750-4c81-11e8-b3d7-01146121b73d responses: 200: description: Indicates a successful call. # ::::: ACCOUNTS /v1/account-management/metrics-accounts: post: summary: Create a new metrics account description: Please ensure to change the region in the URL to match your account's region. consumes: - application/json tags: - Manage metrics account parameters: - in: body name: MetricsAccountV1Request required: true schema: type: object required: - email properties: email: type: string description: Email address of the account owner example: ^[_A-Za-z0-9-\+]+(\.[_A-Za-z0-9-]+)*@[A-Za-z0-9-]+(\.[A-Za-z0-9-]+)*(\.[A-Za-z]{2,})$ accountName: type: string description: Name of metrics account to be created. If empty, the default name `_metrics` is used. planUts: type: integer description: Usage plan for Unique Time Series (UTS). UTS defines the number of unique time series an account is allowed to have. If usage exceeds the plan, exceeding data points will not be processed. authorizedAccountsIds: type: array description: IDs of authorized accounts items: type: integer description: IDs of authorized accounts responses: 201: description: Created schema: type: object properties: id: type: integer description: ID of the created metrics account accountName: type: string description: Name of metrics account. token: type: string description: Metrics account token createdAt: type: string format: date-time description: Timestamp of account creation planUts: type: integer description: Usage plan for Unique Time Series (UTS). UTS defines the number of unique time series an account is allowed to have. If usage exceeds the plan, exceeding data points will not be processed. authorizedAccountsIds: type: array description: IDs of authorized accounts items: type: integer get: summary: Get a list of all metrics accounts description: Please ensure to change the region in the URL to match your account's region. produces: - application/json tags: - Manage metrics account responses: 200: description: OK schema: type: array items: type: object properties: id: type: integer description: ID of the metrics account accountName: type: string description: Name of metrics account. token: type: string description: Metrics account token createdAt: type: string format: date-time description: Timestamp of account creation planUts: type: integer description: Usage plan for Unique Time Series (UTS). UTS defines the number of unique time series an account is allowed to have. If usage exceeds the plan, exceeding data points will not be processed. authorizedAccountsIds: type: array description: IDs of authorized accounts items: type: integer /v1/account-management/metrics-accounts/{metricsAccountId}: put: summary: Update a metrics account description: Please ensure to change the region in the URL to match your account's region. consumes: - application/json tags: - Manage metrics account parameters: - in: path name: metricsAccountId required: true type: integer - in: body name: MetricsAccountV1Request required: true schema: type: object properties: accountName: type: string description: Name of metrics account. planUts: type: integer description: Usage plan for Unique Time Series (UTS). UTS defines the number of unique time series an account is allowed to have. If usage exceeds the plan, exceeding data points will not be processed. authorizedAccountsIds: type: array description: IDs of authorized accounts items: type: integer responses: 200: description: OK schema: type: object properties: id: type: integer description: ID of the metrics account accountName: type: string description: Name of metrics account. token: type: string description: Metrics account token createdAt: type: string format: date-time description: Timestamp of account creation planUts: type: integer description: Usage plan for Unique Time Series (UTS). UTS defines the number of unique time series an account is allowed to have. If usage exceeds the plan, exceeding data points will not be processed. authorizedAccountsIds: type: array description: IDs of authorized accounts items: type: integer delete: summary: Delete a metrics account description: Please ensure to change the region in the URL to match your account's region. tags: - Manage metrics account parameters: - in: path name: metricsAccountId required: true responses: 200: description: OK get: summary: Get a specific metrics account description: Please ensure to change the region in the URL to match your account's region. produces: - application/json tags: - Manage metrics account parameters: - in: path type: integer name: metricsAccountId required: true responses: 200: description: OK schema: type: object properties: id: type: integer description: ID of the metrics account accountName: type: string description: Name of metrics account. token: type: string description: Metrics account token createdAt: type: string format: date-time description: Timestamp of account creation planUts: type: integer description: Usage plan for Unique Time Series (UTS). UTS defines the number of unique time series an account is allowed to have. If usage exceeds the plan, exceeding data points will not be processed. authorizedAccountsIds: type: array description: IDs of authorized accounts items: type: integer /v1/associated-accounts: get: summary: Get a list of all accounts derived from the accountId tags: - Associated accounts operationId: getRelatedAccounts description: | Returns a list of all accounts derived from the accountId for which the API-TOKEN (specified in the X-API-TOKEN header) was issued. If the API-TOKEN is issued for an owner account, it will return all sub-accounts (including security, tracing) and the owner account. If it’s not an owner account, it will return only one associated account. Please ensure to change the region in the URL to match your account's region. consumes: - application/json produces: - application/json responses: 200: description: Successful operation schema: type: array items: $ref: '#/definitions/AccountViewV3' /v2/whoami: get: summary: Retrieve account information description: Returns the account name as a string and the account ID as an integer. Good for testing or for confirming that you’re using an API token from the right account. Please ensure to change the region in the URL to match your account's region. tags: - Who am I operationId: whoAmI produces: - application/json responses: 200: description: successful operation schema: $ref: '#/definitions/WhoAmIV2Response' /v1/authentication/groups: get: summary: Get authentication groups description: | Returns a list of all existing authentication groups. Please ensure to change the region in the URL to match your account's region. tags: - Authentication groups operationId: getAuthGroups produces: - application/json responses: 200: description: successful operation schema: type: array items: type: object properties: group: type: string description: Group name example: group userRole: type: string description: User role example: role post: summary: Create/update authentication groups description: >- Creates/updates existing authentication groups. To create or update groups, you need to send all these groups in the payload. With every update, all running user sessions will be terminated, so the users need to login again. To delete a group, you need to exclude this group from the payload that you send to update groups. With every deletion, all running user sessions will be terminated, so the users need to login again. **Example 1.** Create groups called `group1` and `group2`. The payload will contain `[ { \"group\": \”group1\”, \"userRole\": \”USER_ROLE_READONLY\” }, { \"group\": \”group2\”, \"userRole\": \”USER_ROLE_ADMIN\” }]`. As a result, the two groups will be created with specified permissions. **Example 2.** Update existing groups called `group1` and `group2`. The payload will contain `[ { \"group\": \”group1\”, \"userRole\": \”USER_ROLE_ADMIN” }, { \"group\": \”group2\”, \"userRole\": \”USER_ROLE_READONLY\” }]`. As a result, the two groups will be updated with specified permissions. **Example 3.** Delete group called `group1` from the existing two groups: `group1` and `group2`. The payload will contain `[{ \"group\": \”group2\”, \"userRole\": \”USER_ROLE_READONLY\” }]`. As a result, `group1` will be deleted, as it is excluded from the payload. Please ensure to change the region in the URL to match your account's region. tags: - Authentication groups operationId: setAuthGroups parameters: - in: body name: body required: true schema: type: array items: type: object properties: group: type: string description: Group name example: group userRole: type: string description: User role example: role responses: 200: description: successful operation schema: type: array items: type: object properties: group: type: string description: Group name example: group userRole: type: string description: User role example: role /v1/account-management/time-based-accounts: get: summary: Retrieve settings for all accounts description: >- Returns account settings for the main account and all of its associated sub accounts. * The list of accounts is returned as an array of JSON objects. * Must be run with an API token from the main account. * Plan-specific fields - In the schema below, properties may be labeled as **Subscription** or **Consumption**. If a field doesn’t apply to your plan, it may be `null`. * Please ensure to change the region in the URL to match your account's region. tags: - Manage time-based log accounts operationId: getAll responses: 200: description: successful operation schema: type: array items: $ref: '#/definitions/TimeBasedAccount' post: summary: Create a sub account description: | Creates a new logging sub account. Must be run with an API token from the main account. In the schema below, properties may be labeled as **Subscription** or **Consumption**. If a field doesn’t apply to your plan, it may be `null`. Please ensure to change the region in the URL to match your account's region. tags: - Manage time-based log accounts operationId: createTimeBasedAccount parameters: - in: body name: body required: false schema: $ref: '#/definitions/TimeBasedAccountCreateRequest' responses: 200: description: successful operation schema: $ref: '#/definitions/TimeBasedAccountCreationResponse' /v1/account-management/time-based-accounts/{id}: get: summary: Retrieve account settings by ID description: | Returns account configuration settings as a JSON object. Must be run with an API token from the main account. In the schema below, properties may be labeled as **Subscription** or **Consumption**. If a field doesn’t apply to your plan, it may be `null`. Please ensure to change the region in the URL to match your account's region. tags: - Manage time-based log accounts operationId: get parameters: - name: id in: path required: true type: integer format: int32 description: ID of the account to retrieve x-example: 99999 responses: 200: description: successful operation schema: $ref: '#/definitions/TimeBasedAccount' put: summary: Update an account description: >- Updates the account settings of a main account or sub account, with some exceptions, noted below: * For the main account, the parameter `retentionDays` cannot be updated. It is determined by the plan you purchased. * For the main account, if `isFlexible=false`, the parameters `maxDailyGB` and `reservedDailyGB` cannot be updated using this endpoint. * In the schema below, properties may be labeled as **Subscription** or **Consumption**. If a field doesn’t apply to your plan, it may be `null`. Please ensure to change the region in the URL to match your account's region. tags: - Manage time-based log accounts operationId: updateTimeBasedAccount parameters: - name: id in: path required: true type: integer format: int32 description: ID of the account to update x-example: 99999 - in: body name: body required: false schema: $ref: '#/definitions/TimeBasedAccountUpdateRequest' responses: 204: description: successful operation delete: summary: Delete a sub account description: | Deletes a sub account by its account ID. Must be run with an API token from the main account. Please ensure to change the region in the URL to match your account's region. tags: - Manage time-based log accounts operationId: deleteTimeBasedAccount parameters: - name: id in: path required: true type: integer format: int32 description: ID of the account to be deleted. x-example: 99999 responses: 204: description: successful operation /v1/account-management/time-based-accounts/detailed: get: summary: Retrieve detailed information for all accounts description: >- Returns detailed account information for the main account and all of its associated sub accounts. Information includes usage and sharing permissions for Kibana objects. * The list of accounts is returned as an array of JSON objects. Each sub account is its own object. * Must be run with an API token from the main account. Please ensure to change the region in the URL to match your account's region. tags: - Manage time-based log accounts operationId: getAllDetailedTimeBasedAccount responses: 200: description: successful operation schema: type: array items: $ref: '#/definitions/DetailedTimeBasedAccount' /v1/account-management/time-based-accounts/detailed/{id}: get: summary: Retrieve detailed account information by account ID description: | Returns detailed account information. Must be run with an API token from the main account. Please ensure to change the region in the URL to match your account's region. tags: - Manage time-based log accounts operationId: getDetailedTimeBasedAccount parameters: - name: id in: path required: true type: integer format: int32 description: ID of the account to retrieve x-example: 99999 responses: 200: description: successful operation schema: $ref: '#/definitions/DetailedTimeBasedAccount' # ::::: SEARCH, SCROLL /v1/search: post: operationId: search summary: Search logs description: >- Searches your account data using the [Elasticsearch Search API DSL](https://www.elastic.co/guide/en/elasticsearch/reference/6.8/search.html) query language. **total:** This call returns up to 1,000 results per query for aggregated results, or 10,000 results for non-aggregated results. **Note:** To ensure speed and availability of your logs, we restrict some options from the Elasticsearch defaults that could hamper system performance. Restrictions are described with their respective elements below. Please ensure to change the region in the URL to match your account's region. tags: - Search logs consumes: - application/json produces: - application/json parameters: - in: body name: body required: true schema: type: object required: - query properties: query: type: object description: >- The query can take any of the parameters described in the [Elasticsearch Search API DSL documentation](https://www.elastic.co/guide/en/elasticsearch/reference/6.8/search.html) with the exceptions stated below. #### Limitations * When using `query_string`, `allow_leading_wildcard` must be set to `false` * `wildcard` can't start with `*` or `?` * Can't contain `fuzzy_max_expansions`, `max_expansions`, or `max_determinized_states` #### Notes on the search time range * By default, your query runs on data sent today and yesterday, UTC. You can move this 2-calendar-day window by using the `dayOffset` query parameter. * Searches without a `timestamp` filter will return the last 2 calendar days, UTC. You can search other calendar days (up to 2 at a time) using a filter on the `timestamp`. example: { "bool": { "must": [{ "range": { "@timestamp": { "gte": "now-5m", "lte": "now" } } }] } } from: type: integer minimum: 0 default: 0 description: Of the results found, the first result to return. example: 0 size: type: integer description: Number of results to return default: 10 maximum: 10000 example: 10 sort: type: array description: >- #### Limitations * Can't sort or aggregate on analyzed fields, such as the `message` field items: type: object _source: type: object description: >- The object `includes` specifies an array of strings specifying an array of fields to return. * If you omit `_source` from the request, all fields are returned. * If you pass `'_source': false`, it will exclude the `_source` field from the results. properties: includes: type: array description: Array of fields to return example: [ "message" ] items: type: string example: false post_filter: type: object description: A filter applied after the aggregations have been calculated. Useful for reusing a single query to calculate several outputs with different filtering criteria. See the [Elasticsearch guide](https://www.elastic.co/guide/en/elasticsearch/reference/6.8/search-request-post-filter.html) for details. example: null docvalue_fields: type: array description: Powers inverted indexing. Allows queries to look up the search term in unique sorted list by @timestamp. See the [Elasticsearch guide](https://www.elastic.co/guide/en/elasticsearch/reference/6.8/search-request-docvalue-fields.html) for details. items: type: string example: ["@timestamp"] version: type: boolean description: Returns a version for each result. See the [Elasticsearch guide](https://www.elastic.co/guide/en/elasticsearch/reference/6.8/search-request-version.html) for details. stored_fields: type: array description: Useful for querying for fields that don’t appear in the _source field or querying for larger documents by date or title. See the [Elasticsearch guide](https://www.elastic.co/guide/en/elasticsearch/reference/6.8/search-request-stored-fields.html) for details. items: type: string example: ["*"] highlight: type: object description: Highlight strings in one or more fields in your search results. See the [Elasticsearch guide](https://www.elastic.co/guide/en/elasticsearch/reference/6.8/search-request-highlighting.html) for details. aggregations: type: object description: >- Apply field aggregations. See the [Elasticsearch guide](https://www.elastic.co/guide/en/elasticsearch/reference/6.8/search-aggregations.html) for details. #### Limitations * When using the `size` element, the value must be ≤ `1000` * Can't nest 2 or more bucket aggregations of these types: `date_histogram`, `geohash_grid`, `histogram`, `ip_ranges`, `significant_terms`, `terms` * Can't sort or aggregate on analyzed fields, such as the `message` field * Aggregation type `significant_terms` and `multi_terms` can't be used **Note:** You can use `aggs` or `aggregations` as the field name example: { "byType": { "terms": { "field": "type", "size": 5 } } } responses: 200: description: successful query. `hits` are the total number of logs that match the query, which will always be in the 0-2 day range. `total` are the actual logs that are returned when using the query, which are not limited by the selected time range. schema: type: object example: >- { "hits": { "total": 339604, "max_score": 0.0, "hits": [ ] }, "aggregations": { "byType": { "doc_count_error_upper_bound": 0, "sum_other_doc_count": 44879, "buckets": [ { "key": "web-app", "doc_count": 163690 }, { "key": "core-service", "doc_count": 64893 } ] } } } /v1/scroll: post: summary: Scroll logs tags: - Search logs description: >- This endpoint can take 2 types of call requests. The first type runs a search query that returns a `scrollID` and the first batch of paginated results. The second request type passes only the `scroll_id` (The variation in the field name is intentional) to fetch the next batches of paginated results. This endpoint always returns results as a stringified JSON. How it works: First, send a request to establish the `scrollID`. This initial request contains the query object and additional parameters, similar to the `v1/search` endpoint, with the exception that `dayOffset` and `accountIds` are not supported. The request will return the field `scrollId` and the number of `hits`, representing the number of matching results. For example, the `scroll_Id` string may have a value `*************80Y1JVcldDaVEAAAAAjeoh8hZYNkVkXzNhWVJRaUIwcWF5TEVnU2ZR`. Next, send the `scroll_id` in the request body to retrieve the log results as a stringified JSON. Each call returns the next page, where each page can return a maximum of 1000 results. Every time you resend the same `scroll_id` in the request body, it returns the next page until it reaches the end of the results. Note that 'scrollID' expires after 20 minutes. Every time you send the request with the same `scroll_id`, the next batch of results is returned. Keep sending the same scroll ID as many times as needed to retrieve all of the available results. The results are paginated, and every request returns the next page, one at a time. When the call returns an empty array, you'll know you've reached the end of your results. Note that the Scroll API is limited to searching only within the account associated with the token used. If the token belongs to the main account, the search will be limited to it and will not include sub-accounts. **Note**: * Send the field `scroll_id` in requests (snake_case). * Receive the field `scrollID` in your responses (camelCase). It expires after 20 minutes. Please ensure to change the region in the URL to match your account's region. operationId: scroll parameters: - in: body name: body required: false schema: $ref: '#/definitions/ScrollRequest' responses: 200: description: successful operation. `hits` are the total number of logs that match the query, which will always be in the 0-2 day range. `total` are the actual logs that are returned when using the query, which are not limited by the selected time range. schema: $ref: '#/definitions/ScrollResponse' # ::::: Archive /v2/archive/settings: get: summary: Retrieve archiving settings description: >- Gets the current archive settings for a time-based log account. Note that only one archive can be active per account. Please ensure to change the region in the URL to match your account's region. tags: - Archive logs operationId: getSettingsForAccount produces: - application/json responses: '200': description: successful operation schema: $ref: '#/definitions/ArchiveSettingsResponse' post: summary: Set up archiving description: | Configure archiving for a time-based log account. One archive can be configured per account (or sub account). For more on this, see [AWS Access with IAM](https://docs.logz.io/user-guide/give-aws-access-with-iam-roles/) and [Archiving](https://docs.logz.io/user-guide/archive-and-restore/configure-archiving.html). Please ensure to change the region in the URL to match your account's region. tags: - Archive logs operationId: createSettings consumes: - application/json produces: - application/json parameters: - in: body name: body required: false schema: $ref: '#/definitions/ArchiveSettings' responses: default: description: successful operation /v2/archive/settings/test: post: summary: Test archive settings description: | Tests the settings and returns the status code to confirm that a connection with the provider was established. Please ensure to change the region in the URL to match your account's region. tags: - Archive logs operationId: testSettings consumes: - application/json produces: - application/json parameters: - in: body name: body required: false schema: $ref: '#/definitions/TestStorageRequest' responses: default: description: successful operation /v2/archive/settings/{id}: get: summary: Retrieve archive settings description: | Retrieves an archiving settings by the ID of the settings. Please ensure to change the region in the URL to match your account's region. tags: - Archive logs operationId: getSettings consumes: - application/json produces: - application/json parameters: - name: id in: path required: true type: integer description: ID of the archive settings. responses: '200': description: successful operation schema: $ref: '#/definitions/ArchiveSettingsResponse' headers: {} put: summary: Update archive settings description: >- Updates the archiving settings for a time-based log account. (The API token identifies the account.) Please ensure to change the region in the URL to match your account's region. You can use this endpoint to: * Switch archive settings between AWS and Azure Blob Storage or vice versa. * Update credentials. * Switch your AWS authentication method between credential keys and IAM roles. Note that only one archive can be active per account. tags: - Archive logs operationId: updateSettings consumes: - application/json produces: - application/json parameters: - name: id in: path required: true type: integer format: int32 description: ID of the archive settings. - in: body name: body required: false schema: $ref: '#/definitions/ArchiveSettings' responses: default: description: successful operation delete: summary: Delete archive settings description: | Deletes the archiving settings for a time-based log account. Please ensure to change the region in the URL to match your account's region. tags: - Archive logs operationId: deleteSettings consumes: - application/json produces: - application/json parameters: - name: id in: path required: true type: integer format: int32 description: ID of the archive settings. responses: default: description: successful operation # ::::: Restore /archive/restore: get: summary: Retrieve all restore operations description: | Returns a complete history of all restore operations initiated for the account. Please ensure to change the region in the URL to match your account's region. tags: - Restore logs operationId: getRestoreRequestsForAccountApi consumes: - application/json produces: - application/json parameters: [] responses: '200': description: successful operation schema: type: array items: $ref: '#/definitions/RestoreApiResponse' headers: {} post: summary: Initiate restore operation description: | Initiates a new operation to restore data from a specific time frame. (As a result, also triggers the creation of a temporary restored account in Logz.io to hold the restored data until its automatic expiration.) Please ensure to change the region in the URL to match your account's region. tags: - Restore logs operationId: createRestore consumes: - application/json produces: - application/json parameters: - in: body name: body required: false schema: $ref: '#/definitions/RestoreApiRequest' responses: '200': description: successful operation schema: $ref: '#/definitions/RestoreApiResponse' headers: {} /archive/restore/{id}: get: summary: Get an update on a restore operation description: | Returns the status of a specific restore operation by its ID. Please ensure to change the region in the URL to match your account's region. tags: - Restore logs operationId: getRestoreRequestByIdApi parameters: - name: id in: path required: true type: integer format: int32 description: ID of the restore process responses: '200': description: successful operation schema: $ref: '#/definitions/RestoreApiResponse' headers: {} delete: summary: Delete a restore operation description: | Aborts a restore process before its completion. Please ensure to change the region in the URL to match your account's region. tags: - Restore logs operationId: abortRestoreRequestApi parameters: - name: id in: path required: true type: integer format: int32 description: ID of the restore process. responses: '200': description: successful operation schema: $ref: '#/definitions/RestoreApiResponse' headers: {} # ::::: Sawmill /v1/sawmill/log-type-pipeline/{logType}: post: operationId: getSawmillTestType summary: Parse sample logs with a Sawmill pipeline description: | Performs parsing of sample logs with a given Sawmill pipeline (https://github.com/logzio/sawmill/wiki). A pipeline is a collection of parsing rules to be executed in a specific order where the syntax and functionality follow the guidelines of the Sawmill library. **Note:** this endpoint is not used to create or update parsing, but for testing purposes only. Please ensure to change the region in the URL to match your account's region. tags: - Parsing produces: - application/json parameters: - in: path type: string required: true name: logType description: Type of the log being parsed. This can be an existing type (already sent to Logz.io) or a new type (to be sent to Logz.io for parsing). - in: body name: body required: true schema: type: object properties: pipeLineDefinition: type: string example: "{ \"steps\": [ { \"kv\": { \"config\": { \"field\": \"hello\", \"fieldSplit\": \" \", \"valueSplit\": \"=\", \"includeKeys\": [ \"time\", \"level\", \"msg\" ] } } } ] }" sampleLogs: type: array items: type: object properties: type: type: string example: "logType" fullMessage: type: object properties: message: type: string example: "hi" hello: type: string example: "time=\"2022-07-22T07:18:28Z\" level=info msg=\"Error uploading file /var/lib/winlogbeat/test.json: BucketRegionError: incorrect region, the bucket is not in '\"us-east-1'\" region, host id: 64fD82\"" responses: '200': description: successful operation schema: type: array description: The response provides the value of `sampleLogs` after parsing. items: type: object example: >- {"Movie":"TheMatrix","fragment":"test","@timestamp":"2021-08-15T12:17:45.731+0000","check":"value","message":"balima","type":"TestType","UA-device":"Other"} get: operationId: getLogType summary: Get pipeline definition for a log type description: | Receive pipeline definition for a given log type, if the definition is already stored. Please ensure to change the region in the URL to match your account's region. tags: - Parsing produces: - application/json parameters: - in: path required: true type: string name: logType description: Log type that you need to retrieve a Sawmill pipeline for. If no parsing has been applied to this log type, 404 error will be given. responses: '200': description: successful operation schema: type: object example: >- {"steps":[{"addField":{"name":"addField","config":{"path":"Movie","value":"TheMatrix"}}}]} '404': description: pipeline not found for this log type schema: type: object example: - errorCode: SAWMILL_SELF_PARSE/PIPELINE NOT FOUND message: log type with name (logType) not found parameters: - logTypeName: SampleLogType /v1/sawmill/external-mapping/upload: post: operationId: postSawmillMappingFile summary: Upload an external mapping file to Logz.io storage. description: | Uploads an external mapping file in `.properties` format to Logz.io storage. This file can be used later by Sawmill [ExternalMappingSourceProcessor](https://github.com/logzio/sawmill/wiki/External-Mapping-Source-Processor). This feature is not available by default. To enable it, contact Logz.io support. 10 files can be uploaded per account. The file size is limited to 50 MB. Please ensure to change the region in the URL to match your account's region. tags: - Parsing consumes: - multipart/form-data produces: - application/json parameters: - in: formData name: file type: file description: The external mapping file. responses: '201': description: successful operation schema: type: object properties: result: type: string example: Successfully updated external mapping description: Successfully updated external mapping '400': description: bad request schema: type: object properties: errorCode: type: string example: FILE_RESTRICTIONS/EXTERNAL_MAPPINGS_LIMIT_REACHED message: type: string example: Failed to upload external mapping. Exceeded allowed amount of mapping files per account - 10. Please Contact Support to delete old mappings. requestId: type: string parameters: type: object properties: currentLimit: type: integer example: 10 '422': description: validation error schema: type: object properties: result: type: string example: Failed to update external mapping description: Failed to update external mapping /v1/account/log-types: get: operationId: getLogTypes summary: Get all log types description: | Get all log types for a given account including the log types with no parsing attached. Please ensure to change the region in the URL to match your account's region. tags: - Parsing produces: - application/json responses: '200': description: successful operation schema: type: array items: type: string example: [“metering-access”,“lag-monitor”,“business-analytics-metrics”,“consul-agent”,“auth0”] # ::::: Alerts V2 /v2/alerts: get: operationId: getAllAlerts summary: Retrieve all alerts description: | Returns the complete list of all alerts configured for the account. Please ensure to change the region in the URL to match your account's region. tags: - Alerts parameters: - in: body name: body required: false responses: '200': description: successful operation schema: type: array items: $ref: '#/definitions/AlertV2Response' headers: {} post: summary: Create an alert description: | Configures and activates a new alert. Please ensure to change the region in the URL to match your account's region. tags: - Alerts operationId: createAlert produces: - application/json parameters: - in: body name: body required: false schema: $ref: '#/definitions/AlertV2Request' responses: '200': description: successful operation schema: $ref: '#/definitions/AlertV2Response' /v2/alerts/<>: get: summary: Retrieve alert by ID description: | Returns alert details by alert ID. Please ensure to change the region in the URL to match your account's region. tags: - Alerts operationId: getAlert parameters: - in: path name: alertId required: true type: integer format: int32 description: Unique identifier of the alert in Logz.io. example: 563412 responses: '200': description: successful operation schema: $ref: '#/definitions/AlertV2Response' headers: {} put: summary: Update an alert description: | Applies changes to an alert, identified by its ID. Can be used to enable or disable the alert. Please ensure to change the region in the URL to match your account's region. tags: - Alerts operationId: updateAlert consumes: - application/json produces: - application/json parameters: - in: body name: body required: false schema: $ref: '#/definitions/AlertV2Request' - name: alertId in: path required: true type: integer format: int32 description: Unique identifier of the alert in Logz.io. example: 563412 responses: '200': description: successful operation schema: $ref: '#/definitions/AlertV2Response' delete: operationId: deleteAlert summary: Delete an alert description: | Deletes an alert identified by its ID. Please ensure to change the region in the URL to match your account's region. tags: - Alerts consumes: - application/json produces: - application/json parameters: - name: alertId in: path required: true type: integer format: int32 description: Unique identifier of the alert in Logz.io. example: 563412 responses: '200': description: successful operation schema: $ref: '#/definitions/AlertV2Response' headers: {} /v2/alerts/{id}/enable: post: summary: Enable alert by ID description: | Enables an alert by its alert ID. This is reversible. The alert can be disabled again at any time. Please ensure to change the region in the URL to match your account's region. operationId: enableAlert tags: - Alerts produces: - application/json parameters: - name: id description: Alert ID in: path required: true type: integer format: int32 example: 654312 responses: default: description: successful operation /v2/alerts/{id}/disable: post: operationId: disableAlert summary: Disable alert by ID description: | Disables an alert by its alert ID. This is reversible. The alert can be enabled again at any time. Please ensure to change the region in the URL to match your account's region. tags: - Alerts produces: - application/json parameters: - name: id description: Alert ID in: path required: true type: integer format: int32 example: 654321 responses: default: description: successful operation # ::::: TriggeredAlerts V1 /v1/alerts/triggered-alerts: post: operationId: TriggeredAlerts summary: Retrieve triggered alerts description: | Returns a paged filtered list of triggered alerts for your accounts. Please ensure to change the region in the URL to match your account's region. tags: - Alerts produces: - application/json parameters: - name: from in: query type: integer minimum: 0 default: 0 description: Of the results found, the first result to return. example: 0 - name: size in: query type: integer description: Size of page to return. example: 15 - name: search in: query type: string description: Part of the alert name to filter by name (ignore case). example: test - name: severities in: query type: array items: type: string enum: - - SEVERE - HIGH - MEDIUM - LOW - INFO example: '["SEVERE", "HIGH"]' description: Filter results by severity of triggered alerts. - name: sortBy in: query description: Sort alerts by date or severity. schema: type: string enum: [DATE, SEVERITY] - name: sortOrder in: query description: Sort order of alerts retrieved. schema: type: string enum: [ASC, DESC] - name: tags in: query type: array items: type: string description: List of tags the alert is related to. responses: '200': description: successful operation schema: type: array items: $ref: '#/definitions/TriggeredAlertsResponse' headers: {} # ::::: Deployment markers /v2/markers/create-markers: post: tags: - Deployments operationId: createMarkers summary: Add deployment markers to Exception graphs description: | Send logs with details of service deployments to annotate Exception graphs in Kibana Discover. [Learn more about Deployment markers](https://docs.logz.io/docs/user-guide/log-management/opensearch-dashboards/opensearch-deployment-markers) Please ensure to change the region in the URL to match your account's region. produces: - application/json parameters: - in: body name: body required: true schema: $ref: '#/definitions/CreateMarkersRequest' responses: default: description: 204 No Content # ::::: Log Insights /v1/insights/list: post: summary: Get the list of Insights tags: - Insights description: >- Get the list of Insights that match your search criteria. Whenever a new Insight is detected, it receives an Insight ID and is tracked for as long as it recurs. The lookback period for Insights is 6 months. **Note:** This endpoint requires permissions that must be set by our Support team. Please email [help@logz.io](mailto:help@logz.io) for assistance. Please ensure to change the region in the URL to match your account's region. operationId: getPublicInsights parameters: - in: body name: body required: false schema: $ref: '#/definitions/PublicGetAccountInsightsRequest' responses: '200': description: successful operation schema: $ref: '#/definitions/PageResponsePublicAccountInsightResponse' # ::::: AUDIT TRAIL /v1/audit-trail/event-types: post: operationId: listAccountAuditTrails summary: Retrieve all event types in the audit trail description: | Returns an array of strings. Each string is an event type that appears in the account's audit trail. Each event type is shown once, no matter how many times it occurs in the account's audit trail. Please ensure to change the region in the URL to match your account's region. tags: - Retrieve audit trail responses: 200: description: successful operation schema: $ref: '#/definitions/AuditTrailEventTypesResponse' /v1/audit-trail: post: operationId: listAccountAuditTrailsFiltered description: Please ensure to change the region in the URL to match your account's region. summary: Retrieve a filtered list of audit trail events tags: - Retrieve audit trail parameters: - in: body name: body required: false schema: $ref: '#/definitions/AuditTrailFilterRequest' responses: 200: description: successful operation schema: $ref: '#/definitions/AuditTrailFilteredResponse' # ::::: CLOUDTRAIL /v1/log-shipping/cloudtrails: get: operationId: getAccountCloudTrails summary: Retrieve all connected CloudTrail resources description: >- Returns a list of CloudTrail resources connected to your Logz.io account. **Note:** This endpoint requires permissions that must be set by our Support team. Please email [help@logz.io](mailto:help@logz.io) for assistance. Please ensure to change the region in the URL to match your account's region. tags: - Connect to CloudTrail responses: 200: description: successful operation schema: type: array items: $ref: '#/definitions/CloudTrailResponse' post: operationId: createCloudTrail summary: Create a new CloudTrail connector description: >- Establishes a new connection to a CloudTrail resource. As a result, logs from your CloudTrail resource will ship to the connected Logz.io account via an AWS S3 bucket. CloudTrail logs will be parsed using the Logz.io custom CloudTrail parsing pipeline. **Note:** This endpoint requires permissions that must be set by our Support team. Please email [help@logz.io](mailto:help@logz.io) for assistance. Please ensure to change the region in the URL to match your account's region. tags: - Connect to CloudTrail parameters: - in: body name: body required: false schema: $ref: '#/definitions/CloudTrailRequest' responses: 200: description: successful operation schema: $ref: '#/definitions/IdBean' /v1/log-shipping/cloudtrails/{id}: get: operationId: getCloudTrail summary: Retrieve CloudTrail connector by ID description: >- Returns details for a CloudTrail connector, identified by its ID. **Note:** This endpoint requires permissions that must be set by our Support team. Please email [help@logz.io](mailto:help@logz.io) for assistance. Please ensure to change the region in the URL to match your account's region. tags: - Connect to CloudTrail parameters: - name: id in: path required: true type: integer format: int32 description: Logz.io ID of the CloudTrail connector responses: 200: description: successful operation schema: $ref: '#/definitions/CloudTrailResponse' put: operationId: updateCloudTrail summary: Update a CloudTrail connector description: >- Updates details for a CloudTrail connector. **Note:** This endpoint requires permissions that must be set by our Support team. Please email [help@logz.io](mailto:help@logz.io) for assistance. Please ensure to change the region in the URL to match your account's region. tags: - Connect to CloudTrail parameters: - in: body name: body required: false schema: $ref: '#/definitions/CloudTrailRequest' - name: id description: Logz.io ID of the CloudTrail connector. in: path required: true type: integer format: int32 responses: 200: description: successful operation schema: $ref: '#/definitions/MessageBean' delete: operationId: deleteCloudTrail summary: Delete a CloudTrail connector description: >- Deletes a CloudTrail connector. As a result, CloudTrail will stop shipping data to your Logz.io account. **Note:** This endpoint requires permissions that must be set by our Support team. Please email [help@logz.io](mailto:help@logz.io) for assistance. Please ensure to change the region in the URL to match your account's region. tags: - Connect to CloudTrail parameters: - name: id description: Logz.io ID of the CloudTrail connector. in: path required: true type: integer format: int32 responses: 200: description: successful operation schema: $ref: '#/definitions/MessageBean' # ::::: S3 log shipping /v1/log-shipping/s3-buckets: get: summary: Retrieve all connected S3 buckets description: | Returns a list of all S3 buckets connected to your Logz.io account. Please ensure to change the region in the URL to match your account's region. tags: - Connect to S3 Buckets operationId: getS3Buckets consumes: - application/json produces: - application/json parameters: responses: 200: description: successful operation schema: type: array items: $ref: '#/definitions/S3BucketResponse' post: summary: Create a new S3 bucket connector description: | Establishes a new connection of the Logz.io fetcher to an AWS S3 bucket. As a result, logs from your AWS resource will begin shipping to the connected Logz.io account via an AWS S3 bucket. Logs will be parsed using the Logz.io custom parsing pipeline for the resource. Please ensure to change the region in the URL to match your account's region. tags: - Connect to S3 Buckets operationId: createBuckets consumes: - application/json produces: - application/json parameters: - in: body name: body required: false schema: $ref: '#/definitions/S3BucketRequest' responses: default: description: successful operation '/v1/log-shipping/s3-buckets/{id}': get: summary: Retrieve an S3 bucket connector by ID description: | Returns connection details for an S3 bucket connector by its ID. Please ensure to change the region in the URL to match your account's region. tags: - Connect to S3 Buckets operationId: getS3Bucket consumes: - application/json produces: - application/json parameters: - name: id description: Logz.io ID of the S3 Bucket connector. You can run the relevant GET endpoints to retrieve the ID. in: path required: true type: integer format: int32 responses: 200: description: successful operation schema: $ref: '#/definitions/S3BucketResponse' put: summary: Update an S3 bucket connector description: | Updates connection details for an S3 bucket connector. Please ensure to change the region in the URL to match your account's region. tags: - Connect to S3 Buckets operationId: updateBucket consumes: - application/json produces: - application/json parameters: - name: id in: path description: Logz.io ID of the S3 Bucket connector. You can run the relevant GET endpoints to retrieve the ID. required: true type: integer format: int32 - in: body name: body required: false schema: $ref: '#/definitions/S3BucketRequest' responses: default: description: successful operation delete: summary: Delete an S3 connector description: | Deletes an S3 bucket connector. As a result, the connected AWS resource will stop shipping logs to your Logz.io account. Please ensure to change the region in the URL to match your account's region. tags: - Connect to S3 Buckets operationId: deleteBucket consumes: - application/json produces: - application/json parameters: - name: id description: Logz.io ID of the S3 bucket connector. You can run the relevant GET endpoints to retrieve the ID. in: path required: true type: integer format: int32 responses: default: description: successful operation /v1/log-shipping/s3-buckets/aws-assume-role-details: get: summary: Get account information for IAM Role description: >- Returns the Logz.io parameters needed to create an AWS IAM Role in the AWS admin console. The next steps after running this endpoint: * Open your AWS admin console and create a new IAM Role. Once the role is created, you will obtain an ARN for it. Keep it handy for the next step. * Create a new S3 bucket connector. Provide the ARN from the previous step in the request body. Please ensure to change the region in the URL to match your account's region. tags: - Connect to S3 Buckets operationId: getAWSAssumeRoleDetails consumes: - application/json produces: - application/json parameters: responses: '200': description: successful operation schema: $ref: '#/definitions/AWSAssumeRoleDetails' headers: {} # ::::: NOTIFICATION ENDPOINTS /v1/endpoints/slack: post: operationId: createSlack summary: Create a Slack endpoint tags: - Manage notification endpoints description: | Creates a new Slack notification endpoint or sends a test message to Slack. Please ensure to change the region in the URL to match your account's region. parameters: - name: test in: query required: false type: boolean default: false description: >- To send a test message to the endpoint, `true`. Otherwise, `false`. **Note:** If set to `true`, the notification endpoint is not created. To create the endpoint, you need to send the API request where `test=false`. - in: body name: body required: false schema: $ref: '#/definitions/SlackEndpointUpsertRequest' responses: 200: description: successful operation schema: $ref: '#/definitions/EndpointUpsertResponse' /v1/endpoints/slack/{id}: put: tags: - Manage notification endpoints summary: Update Slack endpoint description: | Updates a Slack notification endpoint or sends a test message to Slack. Please ensure to change the region in the URL to match your account's region. operationId: updateSlack parameters: - name: id in: path required: true type: integer format: int32 description: ID of the notification endpoint - name: test in: query required: false type: boolean default: false description: >- To send a test message to the endpoint, `true`. Otherwise, `false`. **Note:** If set to `true`, the notification endpoint is not updated. To update the endpoint, you need to send the API request where `test=false`. - in: body name: body required: false schema: $ref: '#/definitions/SlackEndpointUpsertRequest' responses: 200: description: successful operation schema: $ref: '#/definitions/EndpointUpsertResponse' /v1/endpoints/custom: post: tags: - Manage notification endpoints summary: Create a custom notification endpoint description: | Creates a new notification endpoint for a custom integration or sends a test message to the custom endpoint. Please ensure to change the region in the URL to match your account's region. operationId: createCustom parameters: - name: test in: query required: false type: boolean default: false description: >- To send a test message to the endpoint, `true`. Otherwise, `false`. **Note:** If set to `true`, the notification endpoint is not created. To create the endpoint, you need to send the API request where `test=false`. - in: body name: body required: false schema: $ref: '#/definitions/CustomEndpointUpsertRequest' responses: 200: description: successful operation schema: $ref: '#/definitions/EndpointUpsertResponse' /v1/endpoints/custom/{id}: put: tags: - Manage notification endpoints summary: Update a custom notification endpoint description: | Updates a new notification endpoint for a custom integration or sends a test message to the custom endpoint. Please ensure to change the region in the URL to match your account's region. operationId: updateCustom parameters: - name: id in: path required: true type: integer format: int32 - name: test in: query required: false type: boolean default: false description: >- To send a test message to the endpoint, `true`. Otherwise, `false`. **Note:** If set to `true`, the notification endpoint is not updated. To update the endpoint, you need to send the API request where `test=false`. - in: body name: body required: false schema: $ref: '#/definitions/CustomEndpointUpsertRequest' responses: 200: description: successful operation schema: $ref: '#/definitions/EndpointUpsertResponse' /v1/endpoints/pager-duty: post: tags: - Manage notification endpoints summary: Create a PagerDuty endpoint description: | Creates a new PagerDuty notification endpoint or sends a test message to PagerDuty. Please ensure to change the region in the URL to match your account's region. operationId: createPagerDuty parameters: - name: test in: query required: false type: boolean default: false description: >- To send a test message to the endpoint, `true`. Otherwise, `false`. **Note:** If set to `true`, the notification endpoint is not created. To create the endpoint, you need to send the API request where `test=false`. - in: body name: body required: false schema: $ref: '#/definitions/PagerDutyEndpointUpsertRequest' responses: 200: description: successful operation schema: $ref: '#/definitions/EndpointUpsertResponse' /v1/endpoints/pager-duty/{id}: put: tags: - Manage notification endpoints summary: Update a PagerDuty endpoint description: | Updates a PagerDuty notification endpoint or sends a test message to PagerDuty. Please ensure to change the region in the URL to match your account's region. operationId: updatePagerDuty parameters: - name: id in: path required: true type: integer format: int32 description: ID of the notification endpoint - name: test in: query required: false type: boolean default: false description: >- To send a test message to the endpoint, `true`. Otherwise, `false`. **Note:** If set to `true`, the notification endpoint is not updated. To update the endpoint, you need to send the API request where `test=false`. - in: body name: body required: false schema: $ref: '#/definitions/PagerDutyEndpointUpsertRequest' # responses: 200: description: successful operation schema: $ref: '#/definitions/EndpointUpsertResponse' /v1/endpoints/big-panda: post: tags: - Manage notification endpoints summary: Create a BigPanda endpoint description: | Creates a new BigPanda notification endpoint or sends a test message to BigPanda. Please ensure to change the region in the URL to match your account's region. operationId: createBigPanda parameters: - name: test in: query required: false type: boolean default: false description: >- To send a test message to the endpoint, `true`. Otherwise, `false`. **Note:** If set to `true`, the notification endpoint is not created. To create the endpoint, you need to send the API request where `test=false`. - in: body name: body required: false schema: $ref: '#/definitions/BigPandaEndpointUpsertRequest' responses: 200: description: successful operation schema: $ref: '#/definitions/EndpointUpsertResponse' /v1/endpoints/big-panda/{id}: put: tags: - Manage notification endpoints summary: Update a BigPanda endpoint description: | Updates a BigPanda notification endpoint or sends a test message to BigPanda. Please ensure to change the region in the URL to match your account's region. operationId: updateBigPanda parameters: - name: id in: path required: true type: integer format: int32 description: ID of the notification endpoint - name: test in: query required: false type: boolean default: false description: >- To send a test message to the endpoint, `true`. Otherwise, `false`. **Note:** If set to `true`, the notification endpoint is not updated. To update the endpoint, you need to send the API request where `test=false`. - in: body name: body required: false schema: $ref: '#/definitions/BigPandaEndpointUpsertRequest' responses: 200: description: successful operation schema: $ref: '#/definitions/EndpointUpsertResponse' /v1/endpoints/data-dog: post: tags: - Manage notification endpoints summary: Create a Datadog endpoint description: | Creates a new Datadog notification endpoint or sends a test message to Datadog. Please ensure to change the region in the URL to match your account's region. operationId: createDataDog parameters: - name: test in: query required: false type: boolean default: false description: >- To send a test message to the endpoint, `true`. Otherwise, `false`. **Note:** If set to `true`, the notification endpoint is not created. To create the endpoint, you need to send the API request where `test=false`. - in: body name: body required: false schema: $ref: '#/definitions/DatadogEndpointUpsertRequest' responses: 200: description: successful operation schema: $ref: '#/definitions/EndpointUpsertResponse' /v1/endpoints/data-dog/{id}: put: tags: - Manage notification endpoints summary: Update a Datadog endpoint description: | Updates a Datadog notification endpoint or sends a test message to Datadog. Please ensure to change the region in the URL to match your account's region. operationId: updateDataDog parameters: - name: id in: path required: true type: integer format: int32 description: ID of the notification endpoint - name: test in: query required: false type: boolean default: false description: >- To send a test message to the endpoint, `true`. Otherwise, `false`. **Note:** If set to `true`, the notification endpoint is not updated. To update the endpoint, you need to send the API request where `test=false`. - in: body name: body required: false schema: $ref: '#/definitions/DatadogEndpointUpsertRequest' responses: 200: description: successful operation schema: $ref: '#/definitions/EndpointUpsertResponse' /v1/endpoints/victorops: post: tags: - Manage notification endpoints summary: Create a VictorOps endpoint description: | Creates a new VictorOps notification endpoint or sends a test message to VictorOps. Please ensure to change the region in the URL to match your account's region. operationId: createVictorops parameters: - name: test in: query required: false type: boolean default: false description: >- To send a test message to the endpoint, `true`. Otherwise, `false`. **Note:** If set to `true`, the notification endpoint is not created. To create the endpoint, you need to send the API request where `test=false`. - in: body name: body required: false schema: $ref: '#/definitions/VictoropsEndpointUpsertRequest' responses: 200: description: successful operation schema: $ref: '#/definitions/EndpointUpsertResponse' /v1/endpoints/victorops/{id}: put: tags: - Manage notification endpoints summary: Update a VictorOps endpoint description: | Updates a VictorOps notification endpoint or sends a test message to VictorOps. Please ensure to change the region in the URL to match your account's region. operationId: updateVictorops parameters: - name: id in: path required: true type: integer format: int32 description: ID of the notification endpoint - name: test in: query required: false type: boolean default: false description: >- To send a test message to the endpoint, `true`. Otherwise, `false`. **Note:** If set to `true`, the notification endpoint is not updated. To update the endpoint, you need to send the API request where `test=false`. - in: body name: body required: false schema: $ref: '#/definitions/VictoropsEndpointUpsertRequest' responses: 200: description: successful operation schema: $ref: '#/definitions/EndpointUpsertResponse' /v1/endpoints/{id}: get: tags: - Manage notification endpoints summary: Retrieve an endpoint by ID description: | Returns a JSON object representing a notification endpoint configured in the account. Please ensure to change the region in the URL to match your account's region. operationId: getEndpointById parameters: - name: id in: path required: true type: integer format: int32 description: ID of the notification endpoint responses: 200: description: successful operation schema: $ref: '#/definitions/Endpoint' delete: tags: - Manage notification endpoints summary: Delete an endpoint description: | Deletes a notification endpoint. Please ensure to change the region in the URL to match your account's region. operationId: deleteEndpoint parameters: - name: id in: path required: true type: integer format: int32 description: ID of the notification endpoint responses: 204: description: successful operation /v1/endpoints: get: tags: - Manage notification endpoints summary: Retrieve all notification endpoints description: | Returns an array of JSON objects. Each object represents a notification endpoint configured in the account. Please ensure to change the region in the URL to match your account's region. operationId: getAllEndpoints responses: 200: description: successful operation schema: type: array items: $ref: '#/definitions/Endpoint' /v1/endpoints/ops-genie: post: tags: - Manage notification endpoints summary: Create an OpsGenie endpoint description: | Creates a new OpsGenie notification endpoint or sends a test message to OpsGenie. Please ensure to change the region in the URL to match your account's region. operationId: createOpsGenie parameters: - name: test in: query required: false type: boolean default: false description: >- To send a test message to the endpoint, `true`. Otherwise, `false`. **Note:** If set to `true`, the notification endpoint is not created. To create the endpoint, you need to send the API request where `test=false`. - in: body name: body required: false schema: $ref: '#/definitions/OpsGenieEndpointUpsertRequest' responses: 200: description: successful operation schema: $ref: '#/definitions/EndpointUpsertResponse' /v1/endpoints/ops-genie/{id}: put: tags: - Manage notification endpoints summary: Update an OpsGenie endpoint description: | Updates an OpsGenie notification endpoint or sends a test message to OpsGenie. Please ensure to change the region in the URL to match your account's region. operationId: updateOpsGenie parameters: - name: id in: path required: true type: integer format: int32 description: ID of the notification endpoint - name: test in: query required: false type: boolean default: false description: >- To send a test message to the endpoint, `true`. Otherwise, `false`. **Note:** If set to `true`, the notification endpoint is not updated. To update the endpoint, you need to send the API request where `test=false`. - in: body name: body required: false schema: $ref: '#/definitions/OpsGenieEndpointUpsertRequest' responses: 200: description: successful operation schema: $ref: '#/definitions/EndpointUpsertResponse' /v1/endpoints/service-now: post: tags: - Manage notification endpoints summary: Create an ServiceNow endpoint description: | Creates a new ServiceNow notification endpoint or sends a test message to ServiceNow. Please ensure to change the region in the URL to match your account's region. operationId: createServiceNow parameters: - name: test in: query required: false type: boolean default: false description: >- To send a test message to the endpoint, `true`. Otherwise, `false`. **Note:** If set to `true`, the notification endpoint is not created. To create the endpoint, you need to send the API request where `test=false`. - in: body name: body required: false schema: $ref: '#/definitions/ServiceNowEndpointUpsertRequest' responses: 200: description: successful operation schema: $ref: '#/definitions/EndpointUpsertResponse' /v1/endpoints/service-now/{id}: put: tags: - Manage notification endpoints summary: Update an ServiceNow endpoint description: | Updates an ServiceNow notification endpoint or sends a test message to ServiceNow. Please ensure to change the region in the URL to match your account's region. operationId: updateServiceNow parameters: - name: id in: path required: true type: integer format: int32 description: ID of the notification endpoint - name: test in: query required: false type: boolean default: false description: >- To send a test message to the endpoint, `true`. Otherwise, `false`. **Note:** If set to `true`, the notification endpoint is not updated. To update the endpoint, you need to send the API request where `test=false`. - in: body name: body required: false schema: $ref: '#/definitions/ServiceNowEndpointUpsertRequest' responses: 200: description: successful operation schema: $ref: '#/definitions/EndpointUpsertResponse' /v1/endpoints/microsoft-teams: post: tags: - Manage notification endpoints summary: Create an Microsoft Teams endpoint description: | Creates a new Microsoft Teams notification endpoint or sends a test message to Microsoft Teams. Please ensure to change the region in the URL to match your account's region. operationId: createMicrosoftTeams parameters: - name: test in: query required: false type: boolean default: false description: >- To send a test message to the endpoint, `true`. Otherwise, `false`. **Note:** If set to `true`, the notification endpoint is not created. To create the endpoint, you need to send the API request where `test=false`. - in: body name: body required: false schema: $ref: '#/definitions/MicrosoftTeamsEndpointUpsertRequest' responses: 200: description: successful operation schema: $ref: '#/definitions/EndpointUpsertResponse' /v1/endpoints/microsoft-teams/{id}: put: tags: - Manage notification endpoints summary: Update an Microsoft Teams endpoint description: | Updates an Microsoft Teams notification endpoint or sends a test message to Microsoft Teams. Please ensure to change the region in the URL to match your account's region. operationId: updateMicrosoftTeams parameters: - name: id in: path required: true type: integer format: int32 description: ID of the notification endpoint - name: test in: query required: false type: boolean default: false description: >- To send a test message to the endpoint, `true`. Otherwise, `false`. **Note:** If set to `true`, the notification endpoint is not updated. To update the endpoint, you need to send the API request where `test=false`. - in: body name: body required: false schema: $ref: '#/definitions/MicrosoftTeamsEndpointUpsertRequest' responses: 200: description: successful operation schema: $ref: '#/definitions/EndpointUpsertResponse' # ::::: KIBANA IMPORT/EXPORT /v1/kibana/export: post: tags: - Import or export Kibana objects summary: Export Kibana objects description: >- Exports the configuration of Kibana objects. All objects of a single type (search, visualization, or dashboard) are returned as an array of JSON objects. For example, if you export `visualization`, each visualization is returned as a JSON object. You can import objects using the [/kibana/import](#operation/importSavedObjects) endpoint. Please ensure to change the region in the URL to match your account's region. operationId: exportSavedObjects parameters: - in: body name: body required: false schema: $ref: '#/definitions/KibanaExportRequest' responses: 200: description: successful operation schema: $ref: '#/definitions/KibanaExportResponse' /v1/kibana/import: post: tags: - Import or export Kibana objects summary: Import Kibana objects description: | Imports Kibana search, visualization, or dashboard objects. You can export objects using the [/kibana/export](#operation/exportSavedObjects) endpoint. Please ensure to change the region in the URL to match your account's region. operationId: importSavedObjects parameters: - in: body name: body required: false schema: $ref: '#/definitions/KibanaImportRequest' responses: 200: description: successful operation schema: $ref: '#/definitions/KibanaImportResponse' # ::::: SHIPPING TOKENS /v1/log-shipping/tokens: post: tags: - Manage log shipping tokens summary: Create a log shipping token description: | Creates a log shipping token for this account. Please ensure to change the region in the URL to match your account's region. operationId: createNewLogShippingToken parameters: - in: body name: body required: false schema: $ref: '#/definitions/ShippingTokensRequest' responses: '201': description: successful operation schema: $ref: '#/definitions/ShippingTokensModel' /v1/log-shipping/tokens/{id}: get: tags: - Manage log shipping tokens summary: Retrieve a log shipping token by ID description: | Returns details for the specified shipping token. Please ensure to change the region in the URL to match your account's region. operationId: getLogShippingTokenById parameters: - name: id in: path required: true type: integer format: int32 description: This token's ID. example: 786351 responses: '200': description: successful operation schema: $ref: '#/definitions/ShippingTokensModel' put: tags: - Manage log shipping tokens summary: Update a log shipping token description: | Enables/disables a log shipping token and/or renames it. Please ensure to change the region in the URL to match your account's region. operationId: updateLogShippingToken parameters: - name: id in: path required: true type: integer format: int32 description: This token's ID. example: 786351 - in: body name: body required: false schema: $ref: '#/definitions/ShippingTokensRequest' responses: '200': description: successful operation schema: $ref: '#/definitions/ShippingTokensModel' delete: tags: - Manage log shipping tokens summary: Delete a log shipping token description: >- Deletes a log shipping token by its ID, while providing relevant information about the token's recent status and activity. An account must have at least 1 enabled token. You won't be able to disable or delete the last token. **Important**: Active tokens can be deleted using this call. Confirm that a token is no longer needed before deleting it. Please ensure to change the region in the URL to match your account's region. operationId: deleteLogShippingToken parameters: - name: id in: path required: true type: integer format: int32 description: This token's ID. example: 786351 responses: '200': description: successful operation schema: $ref: '#/definitions/ShippingTokensModel' /v1/log-shipping/tokens/limits: get: tags: - Manage log shipping tokens summary: Get number of available tokens description: >- Returns the number of log shipping tokens currently in use and the number of available tokens that can be enabled. Disabled tokens don't count against the token limit. Please ensure to change the region in the URL to match your account's region. operationId: getLogShippingTokensLimits responses: '200': description: successful operation schema: $ref: '#/definitions/ShippingTokensLimitsResponse' /v1/log-shipping/tokens/search: post: tags: - Manage log shipping tokens summary: Retrieve log shipping tokens description: | Returns the relevant shipping tokens, filtered, sorted and paginated as per the request. Please ensure to change the region in the URL to match your account's region. operationId: searchLogShippingTokens parameters: - in: body name: body required: false schema: $ref: '#/definitions/ShippingTokensSearchRequest' responses: '200': description: successful operation schema: $ref: '#/definitions/PagedSearchResponseShippingTokensModel' # ::::: SHARED TOKENS /v1/shared-tokens/filters: get: operationId: getAllFilters summary: Retrieve all shared token filters description: >- Returns an array of JSON objects, where each object shows information for a shared token filter. **Note:** This endpoint requires permissions that must be set by our Support team. Please email [help@logz.io](mailto:help@logz.io) for assistance. Please ensure to change the region in the URL to match your account's region. tags: - Manage shared tokens responses: 200: description: successful operation schema: type: array uniqueItems: true items: $ref: '#/definitions/QueryFilter' 400: description: not found schema: type: object properties: message: type: string example: token with id 12345 not found for account 54321 description: The shared token or query filter could not be found 403: description: forbidden schema: type: object properties: message: type: string example: Insufficient privileges description: Insufficient privileges. Contact our Support team for access to this API feature. post: operationId: createFilter summary: Create a shared token filter description: >- Creates a new shared token filter. **Note:** This endpoint requires permissions that must be set by our Support team. Please email [help@logz.io](mailto:help@logz.io) for assistance. Please ensure to change the region in the URL to match your account's region. tags: - Manage shared tokens parameters: - in: body name: body required: false schema: $ref: '#/definitions/QueryFilter' responses: 200: description: successful operation schema: $ref: '#/definitions/QueryFilter' 400: description: not found schema: type: object properties: message: type: string example: token with id 12345 not found for account 54321 description: The shared token or query filter could not be found 403: description: forbidden schema: type: object properties: message: type: string example: Insufficient privileges description: Insufficient privileges. Contact our Support team for access to this API feature. /v1/shared-tokens/filters/{id}: get: operationId: getFilter summary: Retrieve a shared token filter by ID description: >- Returns a shared token filter as a JSON object. **Note:** This endpoint requires permissions that must be set by our Support team. Please email [help@logz.io](mailto:help@logz.io) for assistance. Please ensure to change the region in the URL to match your account's region. tags: - Manage shared tokens parameters: - name: id in: path required: true type: integer format: int32 description: ID of the shared token filter responses: 200: description: successful operation schema: $ref: '#/definitions/QueryFilter' 400: description: not found schema: type: object properties: message: type: string example: token with id 12345 not found for account 54321 description: The shared token or query filter could not be found 403: description: forbidden schema: type: object properties: message: type: string example: Insufficient privileges description: Insufficient privileges. Contact our Support team for access to this API feature. delete: operationId: deleteFilter summary: Delete a shared token filter description: >- Deletes a shared token filter. **Note:** This endpoint requires permissions that must be set by our Support team. Please email [help@logz.io](mailto:help@logz.io) for assistance. Please ensure to change the region in the URL to match your account's region. tags: - Manage shared tokens parameters: - name: id in: path required: true type: integer format: int32 description: ID of the shared token filter responses: 200: description: successful operation 400: description: not found schema: type: object properties: message: type: string example: token with id 12345 not found for account 54321 description: The shared token or query filter could not be found 403: description: forbidden schema: type: object properties: message: type: string example: Insufficient privileges description: Insufficient privileges. Contact our Support team for access to this API feature. /v1/shared-tokens/{id}: get: operationId: getToken summary: Retrieve a shared token by ID description: >- Returns a shared token as a JSON object. **Note:** This endpoint requires permissions that must be set by our Support team. Please email [help@logz.io](mailto:help@logz.io) for assistance. Please ensure to change the region in the URL to match your account's region. tags: - Manage shared tokens parameters: - name: id in: path required: true type: integer format: int32 description: ID of the shared token responses: 200: description: successful operation schema: $ref: '#/definitions/SharedToken' 400: description: not found schema: type: object properties: message: type: string example: token with id 12345 not found for account 54321 description: The shared token or query filter could not be found 403: description: forbidden schema: type: object properties: message: type: string example: Insufficient privileges description: Insufficient privileges. Contact our Support team for access to this API feature. put: operationId: updateToken summary: Update a shared token description: >- Changes the filters attached to a shared token. **Note:** This endpoint requires permissions that must be set by our Support team. Please email [help@logz.io](mailto:help@logz.io) for assistance. Please ensure to change the region in the URL to match your account's region. tags: - Manage shared tokens parameters: - name: id in: path required: true type: integer format: int32 - in: body name: body required: false schema: $ref: '#/definitions/UpdateSharedTokenRequest' responses: 200: description: successful operation schema: $ref: '#/definitions/SharedToken' 400: description: not found schema: type: object properties: message: type: string example: token with id 12345 not found for account 54321 description: The shared token or query filter could not be found 403: description: forbidden schema: type: object properties: message: type: string example: Insufficient privileges description: Insufficient privileges. Contact our Support team for access to this API feature. delete: operationId: deleteToken summary: Delete a shared token description: >- Deletes a shared token. **Note:** This endpoint requires permissions that must be set by our Support team. Please email [help@logz.io](mailto:help@logz.io) for assistance. Please ensure to change the region in the URL to match your account's region. tags: - Manage shared tokens parameters: - name: id in: path required: true type: integer format: int32 description: ID of the shared token responses: 204: description: successful operation 400: description: not found schema: type: object properties: message: type: string example: token with id 12345 not found for account 54321 description: The shared token or query filter could not be found 403: description: forbidden schema: type: object properties: message: type: string example: Insufficient privileges description: Insufficient privileges. Contact our Support team for access to this API feature. /v1/shared-tokens: get: operationId: getAllTokens summary: Retrieve all shared tokens description: >- Returns an array of JSON objects, where each object shows information for a shared token. **Note:** This endpoint requires permissions that must be set by our Support team. Please email [help@logz.io](mailto:help@logz.io) for assistance. Please ensure to change the region in the URL to match your account's region. tags: - Manage shared tokens responses: 200: description: successful operation schema: type: array uniqueItems: true items: $ref: '#/definitions/SharedToken' 400: description: not found schema: type: object properties: message: type: string example: token with id 12345 not found for account 54321 description: The shared token or query filter could not be found 403: description: forbidden schema: type: object properties: message: type: string example: Insufficient privileges description: Insufficient privileges. Contact our Support team for access to this API feature. post: operationId: createToken summary: Create a shared token description: >- Creates a new shared token. **Note:** This endpoint requires permissions that must be set by our Support team. Please email [help@logz.io](mailto:help@logz.io) for assistance. Please ensure to change the region in the URL to match your account's region. tags: - Manage shared tokens parameters: - in: body name: body required: false schema: $ref: '#/definitions/CreateSharedTokenRequest' responses: 200: description: successful operation schema: $ref: '#/definitions/SharedToken' 400: description: not found schema: type: object properties: message: type: string example: token with id 12345 not found for account 54321 description: The shared token or query filter could not be found 403: description: forbidden schema: type: object properties: message: type: string example: Insufficient privileges description: Insufficient privileges. Contact our Support team for access to this API feature. # ::::: API TOKENS /v1/api-tokens/sub-account: post: operationId: CreateApiTokenRequest summary: Create a sub account API token. description: >- Creates a new API token for a sub account. Must be run with an API token of the owner account. Once created, you can view the details for this new token in [Manage tokens > API tokens](https://app.logz.io/#/dashboard/settings/manage-tokens/api), when you are logged in to the relevant sub account. **Note:** To activate Prometheus API over our Metrics account contact [Logz.io's support team](mailto:help@logz.io). Please ensure to change the region in the URL to match your account's region. tags: - Manage API tokens parameters: - in: body name: body required: true schema: $ref: '#/definitions/CreateApiTokenRequest' responses: 200: description: successful operation schema: $ref: '#/definitions/ApiTokenResponse' 400: description: Bad Request schema: type: object properties: message: type: string example: Bad Request. There was an issue with the request syntax from the client. Received integer instead of expected string parameter description: Bad Request. The request cannot be completed. Errors may include malformed request syntax, invalid request message parameters, and so on. 401: description: Unauthorized schema: type: object properties: message: type: string example: Unauthorized. There was a problem with the authorization provided in the request. description: Unauthorized. Attempted to create an API token for a sub account with insufficient or missing credentials for the main or owner account. Please contact our Support team for access to this API feature via [help@logz.io](mailto:help@logz.io). 403: description: Forbidden schema: type: object properties: message: type: string example: Forbidden. Attempted to create an API token for a sub account using an illegal owner account token. description: Forbidden. Attempted to create an API token for a sub account with an invalid owner account token. This operation requires a valid API token for the owner account. 404: description: Not Found schema: type: object properties: message: type: string example: Not Found. Could not find the sub account associated with this request. description: Not Found. Could not find the sub account associated with this request or the relevant owner account for the sub account. # ::::: SNAPSHOTS /v1/snapshotter: post: tags: - Logz.io snapshots summary: Create a snapshot description: | Creates a new Kibana snapshot and shares with recipients through email or notification endpoint. Snapshots are stored for 30 days and automatically deleted afterwards. Please ensure to change the region in the URL to match your account's region. operationId: createSnapshot parameters: - in: body name: body required: false schema: $ref: '#/definitions/SnapshotCreateRequest' responses: 200: description: successful operation schema: $ref: '#/definitions/SnapshotCreateResponse' /v1/snapshotter/{snapshotId}: get: tags: - Logz.io snapshots summary: Retrieve a snapshot by ID description: | Returns the details of a snapshot, such as status and the snapshot image URL. Note that snapshots are stored for 30 days and automatically deleted afterwards. Please ensure to change the region in the URL to match your account's region. operationId: getSnapshot parameters: - name: snapshotId in: path required: true type: integer format: int32 description: ID of the snapshot example: 3094 responses: 200: description: successful operation schema: $ref: '#/definitions/SnapshotGetResponse' # ::::: USER MANAGEMENT /v1/user-management/recursive: get: summary: Retrieve users in all associated accounts description: >- Returns a list of users in the main account and all associated sub accounts as an array of JSON objects per account. If a user appears in multiple accounts, it will be listed separately under each account. **Note:** Must be run with an API token belonging to the main account. Please ensure to change the region in the URL to match your account's region. tags: - Manage users operationId: listAllAccountUsers responses: 200: description: successful operation schema: type: array items: $ref: '#/definitions/User' /v1/user-management: get: summary: Retrieve all users description: | Returns a list of users as an array of JSON objects. If you run this endpoint without the accountID, then you will retrieve all users within the account the token of which you provide. If you run this endpoint with the accountID, then you will retrieve users only from the given accountID. In this case you must run it with the token of the main account that the accountID belongs to. Please ensure to change the region in the URL to match your account's region. tags: - Manage users operationId: listUsers parameters: - name: accountId in: query required: false type: integer format: int32 description: Logz.io sub-account ID. responses: 200: description: successful operation schema: type: array items: $ref: '#/definitions/User' post: summary: Create a user description: >- Creates a new user with specified permissions to access your log data. If you run this endpoint with the token of the main account, then you can perform actions on the main account or any sub-account within the main account by providing the sub-account’s accountID. If you run this endpoint with the token of the sub-account, then you can perform actions only on the given sub-account. **Note:** Creating users through Logzio API requires email approval and activation of the request. To disable email verification for the API, contact the [Logz.io support team](mailto:help@logz.io). Please ensure to change the region in the URL to match your account's region. tags: - Manage users operationId: createUser parameters: - in: body name: body required: false schema: $ref: '#/definitions/UserManagementUpsertRequest' responses: 200: description: successful operation schema: $ref: '#/definitions/UserManagementUpsertResponse' /v1/user-management/{id}: get: tags: - Manage users summary: Retrieve a user by ID description: | Returns user information and permissions as a JSON object. Please ensure to change the region in the URL to match your account's region. operationId: getUser parameters: - name: id in: path required: true type: integer format: int32 description: ID of the user responses: 200: description: successful operation schema: $ref: '#/definitions/User' put: tags: - Manage users summary: Update a user description: | Changes an existing user's details or permissions. If you run this endpoint with the token of the main account, then you can perform actions on the main account or any sub-account within the main account by providing the sub-account’s accountID. If you run this endpoint with the token of the sub-account, then you can perform actions only on the given sub-account. Please ensure to change the region in the URL to match your account's region. operationId: updateUser parameters: - in: body name: body required: false schema: $ref: '#/definitions/UserManagementUpsertRequest' - name: id in: path required: true type: integer format: int32 description: ID of the user responses: 200: description: successful operation schema: $ref: '#/definitions/UserManagementUpsertResponse' delete: tags: - Manage users summary: Delete a user description: | Revokes a user's access to the account. The API token determines the account the user will be deleted from. If you run this endpoint without the accountID, then you can perform actions on the account that belongs to the token you provided. If you run this endpoint with the accountID, then you will delete only the user from the given accountID. In this case you must run it with the token of the main account that the accountID belongs to. Please ensure to change the region in the URL to match your account's region. operationId: deleteUser parameters: - name: id in: path required: true type: integer format: int32 description: ID of the user - name: accountId in: query required: false type: integer format: int32 description: Logz.io sub-account ID. responses: 200: description: successful operation /v1/user-management/{id}/recursive: delete: tags: - Manage users summary: Delete a user from all accounts description: >- Deletes a user from the main account and all associated sub accounts. Must be run with an API token for the main account. The user will not be deleted from accounts for which there are no other users. In other words, any accounts where the user is the last user will be skipped. The success message will list accounts that were skipped. Please ensure to change the region in the URL to match your account's region. operationId: deleteUserRecursively parameters: - name: id in: path required: true type: integer format: int32 description: ID of the user responses: 200: description: successful operation /v1/user-management/suspend/{id}: post: tags: - Manage users summary: Suspend a user description: | Locks a user's access to your accounts. Please ensure to change the region in the URL to match your account's region. operationId: suspendUser parameters: - name: id in: path required: true type: integer format: int32 description: ID of the user responses: 200: description: successful operation /v1/user-management/unsuspend/{id}: post: tags: - Manage users summary: Unsuspend a user description: | Restores a suspended user's access to your accounts. Please ensure to change the region in the URL to match your account's region. operationId: unsuspendUser parameters: - name: id in: path required: true type: integer format: int32 description: ID of the user responses: 200: description: successful operation /v1/user-management/{id}/suspend/recursive: put: tags: - Manage users summary: Suspend a user from all accounts description: | Suspends a user from the main account and all associated sub accounts. Must be run with an API token for the main account. The user will not be suspended from accounts for which there are no other users. In other words, any accounts where the user is the last user will be skipped. The success message will list accounts that were skipped. Please ensure to change the region in the URL to match your account's region. operationId: suspendUserRecursively parameters: - name: id in: path required: true type: integer format: int32 description: ID of the user responses: 200: description: successful operation schema: type: object properties: message: type: string example: "Finished suspending user 11300 from accounts." /v1/user-management/{id}/unsuspend/recursive: put: tags: - Manage users summary: Unsuspend a user from all accounts description: | Unsuspends a user from the main account and all associated sub accounts. Must be run with an API token for the main account. Please ensure to change the region in the URL to match your account's region. operationId: unsuspendUserRecursively parameters: - name: id in: path required: true type: integer format: int32 description: ID of the user responses: 200: description: successful operation schema: type: object properties: message: type: string example: "Finished unsuspending user 11300 from accounts." # ::::: CLOUD SIEM RULES /v2/security/rules: post: tags: - Security rules summary: Create a security rule description: | Creates a new security rule and activates it. Please ensure to change the region in the URL to match your account's region. operationId: createSecurityRule produces: - application/json parameters: - in: body name: body required: false schema: $ref: '#/definitions/SecurityRuleRequest' responses: '201': description: successful operation schema: $ref: '#/definitions/SecurityRuleResponse' /v2/security/rules/{ruleId}: get: tags: - Security rules operationId: getSecurityRule summary: Retrieve a security rule description: | Retrieves a security rule by its ID. Please ensure to change the region in the URL to match your account's region. produces: - application/json parameters: - name: ruleId in: path required: true type: integer format: int32 description: responses: '200': description: successful operation schema: $ref: '#/definitions/SecurityRuleResponse' headers: {} put: summary: Update a security rule description: | Applies changes to a rule, identified by its ID. Can also be used to enable or disable a rule. Please ensure to change the region in the URL to match your account's region. tags: - Security rules operationId: updateSecurityRule produces: - application/json parameters: - in: body name: body required: false schema: $ref: '#/definitions/SecurityRuleRequest' - name: ruleId in: path required: true type: integer format: int32 responses: '200': description: successful operation schema: $ref: '#/definitions/SecurityRuleResponse' delete: summary: Delete a security rule description: | Deletes a security rule by its ID. Please ensure to change the region in the URL to match your account's region. tags: - Security rules operationId: deleteSecurityRule produces: - application/json parameters: - name: ruleId in: path required: true type: integer format: int32 responses: '200': description: successful operation schema: $ref: '#/definitions/SecurityRuleResponse' headers: {} /v2/security/rules/search: post: tags: - Security rules operationId: searchAccountSecurityRules summary: Retrieve security rules description: | Retrieve a list of security rules for a specific Security account. The results are paginated. Filtering, sorting and pagination are all optional. If you want to get all rules, send the payload in `{}` format. Please ensure to change the region in the URL to match your account's region. produces: - application/json parameters: - in: body name: body required: false schema: $ref: '#/definitions/AlertsSearchRequest' responses: '200': description: successful operation schema: $ref: '#/definitions/PagedSearchResponseSecurityRuleResponse' /v2/security/rules/{id}/enable: post: tags: - Security rules operationId: enableSecurityRule summary: Enable a rule description: | Enables a security rule by its ID. Please ensure to change the region in the URL to match your account's region. produces: - application/json parameters: - name: id description: Rule ID in: path required: true type: integer format: int32 example: 305572 responses: default: description: successful operation /v2/security/rules/{id}/disable: post: tags: - Security rules operationId: disableSecurityRule summary: Disable a rule description: | Disables a security rule by its ID. Please ensure to change the region in the URL to match your account's region. produces: - application/json parameters: - name: id description: Rule ID in: path required: true type: integer format: int32 example: 305976 responses: default: description: successful operation /v2/security/rules/bulk/update: post: tags: - Security rules operationId: bulkUpdateSecurityRule summary: Bulk update security rules description: | Update security rules in bulk. Please ensure to change the region in the URL to match your account's region. produces: - application/json parameters: - in: body name: body required: true schema: type: object properties: filters: type: object properties: search: type: string description: Search string example: string severities: type: array description: Filter by the severities of the security rules. You can manually test your results in the [UI](https://app.logz.io/#/dashboard/security/rules/rule-definitions?from=0&sortBy=updatedAt&sortOrder=DESC). items: type: string example: SEVERE enum: - INFO - LOW - MEDIUM - HIGH - SEVERE updatedBy: type: array description: Email addresses of the last users to update the rules items: type: string example: user@company.com createdBy: type: array description: Email addresses of the users to create the rules items: type: string example: user@company.com enabledState: type: list of booleans description: true to include enabled rules, false to include disabled rules. An empty list defaults to both enabled and disabled rules. emailNotifications: type: array description: List of email addresses on the recipients list to receive notifications when the rules trigger. items: type: string example: string notificationsEndpointIds: type: array description: Notification endpoints items: type: integer format: int32 example: 0 tags: type: array description: Tags are labels used to organize security rules. example: threat items: type: object example: { network_threat, recon} ruleIds: type: array items: type: integer format: int32 example: 0 fields: type: object properties: enabled: description: Whether felds are enabled. type: boolean recipients: type: object description: Recepients. properties: recipientsOperation: description: Recepients operation. type: string example: ADD recipients: type: object description: Recepients. properties: emails: type: array description: Email addresses of the recepients. items: type: string example: string notificationEndpointIds: type: array description: Notification endpoints. items: type: integer format: int32 example: 0 all: type: boolean responses: default: description: successful operation /v2/security/rules/bulk/delete: post: tags: - Security rules operationId: bulkDeleteSecurityRule summary: Bulk delete security rules description: | Delete security rules in bulk. Please ensure to change the region in the URL to match your account's region. produces: - application/json parameters: - in: body name: body required: true schema: type: object properties: filters: type: object properties: search: type: string description: Search string example: string severities: type: array description: Filter by the severities of the security rules. You can manually test your results in the [UI](https://app.logz.io/#/dashboard/security/rules/rule-definitions?from=0&sortBy=updatedAt&sortOrder=DESC). items: type: string example: SEVERE enum: - INFO - LOW - MEDIUM - HIGH - SEVERE updatedBy: type: array description: Email addresses of the last users to update the rules items: type: string example: user@company.com createdBy: type: array description: Email addresses of the users to create the rules items: type: string example: user@company.com enabledState: type: list of booleans description: true to include enabled rules, false to include disabled rules. An empty list defaults to both enabled and disabled rules. emailNotifications: type: array description: List of email addresses on the recipients list to receive notifications when the rules trigger. items: type: string example: string notificationsEndpointIds: type: array description: Notification endpoints items: type: integer format: int32 example: 0 tags: type: array description: Tags are labels used to organize security rules. example: threat items: type: object example: { network_threat, recon} ruleIds: type: array items: type: integer format: int32 example: 0 fields: type: object properties: enabled: description: Whether felds are enabled. type: boolean recipients: type: object description: Recepients. properties: recipientsOperation: description: Recepients operation. type: string example: ADD recipients: type: object description: Recepients. properties: emails: type: array description: Email addresses of the recepients. items: type: string example: string notificationEndpointIds: type: array description: Notification endpoints. items: type: integer format: int32 example: 0 all: type: boolean responses: default: description: successful operation # ::::: SECURITY EVENTS /v2/security/rules/events/search: post: summary: Fetch security events description: >- Runs a search query in your Logz.io Cloud SIEM account to fetch the security events that match the query parameters. You have the option to filter by rule name, rule severity, and/or event timestamp, and sort the results by time and/or severity, but this is not required. If you send the query with an empty JSON body, it returns all of the events logged in your Logz.io Cloud SIEM, going as far back as your account's retention permits. **Note:** Run this endpoint with an API token for your Logz.io Security account. Please ensure to change the region in the URL to match your account's region. tags: - Security events operationId: searchSecurityRulesEvents produces: - application/json parameters: - in: body name: body required: false schema: $ref: '#/definitions/AlertsEventsSearchRequest' responses: '200': description: successful operation schema: $ref: '#/definitions/PagedSearchResponseTriggeredResponse' headers: {} # ::::: EDIT SECURITY EVENTS /v2/security/rules/events/{ruleId}: put: summary: Edit security events description: | Applies changes to a rule, identified by its ID. Please ensure to change the region in the URL to match your account's region. **Note:** Run this endpoint with an API token for your Logz.io Security account. tags: - Security events operationId: editSecurityRulesEvents produces: - application/json parameters: - in: body name: body required: false schema: $ref: '#/definitions/AlertsEventsEditRequest' responses: 201: description: successful operation schema: $ref: '#/definitions/PagedEdithResponseTriggeredResponse' headers: {} 403: description: forbidden schema: type: object properties: message: type: string example: Insufficient privileges description: Insufficient privileges. Contact our Support team for access to this API feature. # ::::: SECURITY ACCOUNT /v2/account-management/siem: post: summary: Create SIEM account description: | Creates a new SIEM account. Returns SIEM account configuration settings as a JSON object. Must be run with an API token from the your main Logs account *Logs > Settings > Manage tokens > API tokens*. Please ensure to change the region in the URL to match your account's region. tags: - Security account operationId: postSIEM parameters: - in: body name: body required: false schema: type: object required: - accountName - email properties: accountName: type: string required: true description: Name of the SIEM account. Allowed characters include letters, numbers, dashes (`-`), dots (`.`), underscores (`_`), and spaces. Special characters such as `<`, `>`, `:`, `\"`, `/`, `\\`, `|`, `?`, `*` are not supported. accountsToScan: type: array description: IDs of accounts that will be accessed for logs. The owner account will be the default account to scan. items: type: integer email: type: string required: true description: Email address of the SIEM account. isUsingRepositoryAccount: type: boolean description: Describes if the account uses a Repository Account. For more information, see our [User Guide]( https://docs.logz.io/user-guide/accounts/shared_repository.html). responses: 200: description: successful query schema: type: object properties: accountId: type: integer description: Account ID. accountName: type: string required: true description: SIEM account name accountsToScan: type: array description: Accounts included into the query items: type: integer createdAt: type: string format: date-time description: >- Date this account was created. Format: `{yyyy}-{mm}-{dd}T{hh}:{mm}:{ss}Z` example: 2018-04-01T19:18:38Z isUsingRepositoryAccount: type: boolean description: Describes if the account uses a Repository Account. For more information, see our [User Guide]( https://docs.logz.io/user-guide/accounts/shared_repository.html). /v2/security/rules/events/logs/search: post: summary: Fetch the logs that triggered a security event description: >- Runs a search query in your Logz.io Log Monitoring account to fetch the logs that triggered the security rule and caused it to log a security event. This query returns an array of parsed logs linked to a single event - it isn't a bulk action. Run this query to investigate an event and increase observability into details omitted from the security event log. **Note:** Run this endpoint with an API token for your Logz.io Security account. Please ensure to change the region in the URL to match your account's region. tags: - Security events operationId: searchSecurityRuleEventLogs produces: - application/json parameters: - in: body name: body required: false schema: $ref: '#/definitions/AlertEventLogsSearchRequest' responses: '200': description: successful operation schema: $ref: '#/definitions/PagedSearchResponseMapStringObject' headers: {} # ::::: DROP FILTERS /v1/drop-filters/search: post: summary: Retrieve drop filters description: | Returns all drop filters configured for the account, both active and inactive. Please ensure to change the region in the URL to match your account's region. tags: - Drop filters operationId: getAllForAccount consumes: - application/json produces: - application/json responses: '200': description: successful operation schema: type: array items: $ref: '#/definitions/LogsDropFiltersPipelineDefinition' headers: {} /v1/drop-filters/{id}/activate: post: summary: Activate a drop filter description: | Activates a drop filter identified by its ID. Please ensure to change the region in the URL to match your account's region. tags: - Drop filters operationId: activate consumes: - application/json produces: - application/json parameters: - name: id in: path required: true type: string description: Drop filter ID in the Logz.io database. You can run the `/v1/drop-filters/search` endpoint to retrieve the IDs of all the drop filters in the account. responses: '200': description: successful operation schema: $ref: '#/definitions/LogsDropFiltersPipelineDefinition' headers: {} /v1/drop-filters/{id}/deactivate: post: summary: Deactivate a drop filter description: | Deactivates a drop filter identified by its ID. Please ensure to change the region in the URL to match your account's region. tags: - Drop filters operationId: deactivate consumes: - application/json produces: - application/json parameters: - name: id in: path required: true type: string description: Drop filter ID in the Logz.io database. You can run the `/v1/drop-filters/search` endpoint to retrieve the IDs of all the drop filters in the account. responses: '200': description: successful operation schema: $ref: '#/definitions/LogsDropFiltersPipelineDefinition' headers: {} /v1/drop-filters/{id}: delete: summary: Delete a drop filter description: | Deletes a drop filter identified by its ID. Please ensure to change the region in the URL to match your account's region. tags: - Drop filters operationId: delete consumes: - application/json produces: - application/json parameters: - name: id in: path required: true type: string description: Drop filter ID in the Logz.io database. You can run the `/v1/drop-filters/search` endpoint to retrieve the IDs of all the drop filters in the account. responses: '200': description: successful operation schema: $ref: '#/definitions/LogsDropFiltersPipelineDefinition' headers: {} /v1/drop-filters: post: summary: Create drop filter description: | Creates and activates a new drop filter. Please ensure to change the region in the URL to match your account's region. tags: - Drop filters operationId: create consumes: - application/json produces: - application/json parameters: - in: body name: body required: false schema: $ref: '#/definitions/DropFiltersCreateRequest' responses: '200': description: successful operation schema: $ref: '#/definitions/LogsDropFiltersPipelineDefinition' headers: {} # ::::: SIEM LOOKUPS /v1/lookup-lists: post: summary: Create lookup list description: | Creates a new lookup list. After you create the list, you can run the endpoint to add elements to the list. Please ensure to change the region in the URL to match your account's region. tags: - Lookup lists operationId: createLookupList produces: - application/json parameters: - in: body name: body required: false schema: $ref: '#/definitions/LookupListCreateRequest' responses: '200': description: successful operation schema: $ref: '#/definitions/LookupList' headers: {} /v1/lookup-lists/search: post: summary: Get all/Search lookup lists description: | Searches for lookup lists by name or ID. Can also be run without a filter to return the full list of existing lookups. Returns a paginated list of results. Please ensure to change the region in the URL to match your account's region. tags: - Lookup lists operationId: searchLookupLists produces: - application/json parameters: - in: body name: body required: false schema: $ref: '#/definitions/LookupListsSearchRequest' responses: '200': description: successful operation schema: $ref: '#/definitions/PagedSearchResponseLookupList' headers: {} /v1/lookup-lists/{id}: get: summary: Get lookup by ID description: | Retrieves the general details for an existing lookup list. Please ensure to change the region in the URL to match your account's region. tags: - Lookup lists operationId: getLookupList produces: - application/json parameters: - name: id in: path required: true type: string description: GUID of the lookup list. example: 7c985e09-3db6-5dc6-ae33-58403493e13f responses: '200': description: successful operation schema: $ref: '#/definitions/LookupList' headers: {} put: summary: Update lookup list description: | Update the name and/or description of an exisiting lookup list. Please ensure to change the region in the URL to match your account's region. tags: - Lookup lists operationId: updateLookupList produces: - application/json parameters: - name: id in: path required: true type: string description: GUID of the lookup list. example: 7c985e09-3db6-5dc6-ae33-58403493e13f - in: body name: body required: true schema: $ref: '#/definitions/LookupList' responses: '200': description: successful operation schema: $ref: '#/definitions/LookupList' headers: {} delete: summary: Delete lookup list description: | Deletes a lookup list. Note that this action can affect rules, dashboards, and reports if they are dependent on the lookup list. Please ensure to change the region in the URL to match your account's region. tags: - Lookup lists operationId: deleteLookupList produces: - application/json parameters: - name: id in: path required: true type: string description: GUID of the lookup list. example: 7c985e09-3db6-5dc6-ae33-58403493e13f responses: '200': description: successful operation schema: $ref: '#/definitions/LookupList' headers: {} /v1/lookup-lists/{lookupListId}/elements: post: summary: Add element to a lookup list description: | Adds a new element to an existing lookup list. An element is a field value and comment (helpful description that does not affect the lookup functionally). Please ensure to change the region in the URL to match your account's region. tags: - Lookup lists operationId: createLookupListElement produces: - application/json parameters: - name: lookupListId in: path required: true type: string description: GUID of the lookup list. example: 7c985e09-3db6-5dc6-ae33-58403493e13f - in: body name: body required: true schema: $ref: '#/definitions/LookupListElementCreateRequest' responses: '200': description: successful operation schema: $ref: '#/definitions/LookupListElement' headers: {} /v1/lookup-lists/{lookupListId}/elements/search: post: summary: Get all/Search lookup elements description: | Searches elements in a specified lookup list. Can also be run without a filter to return the full list of elements. Returns a paginated list of results. Please ensure to change the region in the URL to match your account's region. tags: - Lookup lists operationId: searchLookupListElements produces: - application/json parameters: - name: lookupListId in: path required: true type: string description: GUID of the lookup list. example: 7c985e09-3db6-5dc6-ae33-58403493e13f - in: body name: body required: false schema: $ref: '#/definitions/LookupListElementsSearchRequest' responses: '200': description: successful operation schema: $ref: '#/definitions/PagedSearchResponseLookupListElement' headers: {} /v1/lookup-lists/{lookupListId}/elements/{id}: get: summary: Get element description: | Retrieves a specific lookup element by its ID. Please ensure to change the region in the URL to match your account's region. tags: - Lookup lists operationId: getLookupListElement produces: - application/json parameters: - name: lookupListId in: path required: true type: string description: GUID of the lookup list. example: 7c985e09-3db6-5dc6-ae33-58403493e13f - name: id in: path required: true type: integer format: int32 description: ID of a specific value element contained in the lookup list. example: 20 responses: '200': description: successful operation schema: $ref: '#/definitions/LookupListElement' headers: {} put: summary: Update element description: | Changes the value and/or comment of a specific element, identified by its ID. Please ensure to change the region in the URL to match your account's region. tags: - Lookup lists operationId: updateLookupListElement produces: - application/json parameters: - name: lookupListId in: path required: true type: string description: GUID of the lookup list. example: 7c985e09-3db6-5dc6-ae33-58403493e13f - name: id in: path required: true type: integer format: int32 description: ID of a specific value element contained in the lookup list. example: 20 - in: body name: body required: true schema: $ref: '#/definitions/LookupListElement' responses: '200': description: successful operation schema: $ref: '#/definitions/LookupListElement' headers: {} delete: summary: Delete element description: | Deletes a specific lookup element, identified by its ID. Please ensure to change the region in the URL to match your account's region. tags: - Lookup lists operationId: deleteLookupListElement produces: - application/json parameters: - name: lookupListId in: path required: true type: string description: GUID of the lookup list. example: 7c985e09-3db6-5dc6-ae33-58403493e13f - name: id in: path required: true type: integer format: int32 description: ID of a specific value element contained in the lookup list. example: 20 responses: '200': description: successful operation schema: $ref: '#/definitions/LookupListElement' headers: {} /v1/lookup-lists/{lookupListId}/elements/bulk-add: post: tags: - Lookup lists operationId: addLookupListElements summary: Add elements in bulk description: | Adds an array of elements to an existing Lookup list and sets the expiration date for the lookup. Please ensure to change the region in the URL to match your account's region. produces: - application/json parameters: - name: defaultTTL in: query required: false type: integer format: int64 description: Optional. The expiration date and time of the lookup list as UNIX epoch milliseconds. When this parameter is left empty, the lookup list does not expire. - name: lookupListId in: path required: true type: string description: GUID of the lookup list. example: 7c985e09-3db6-5dc6-ae33-58403493e13f - in: body name: body required: true schema: type: array items: $ref: '#/definitions/LookupListElementCreateRequest' responses: '200': description: successful operation schema: $ref: '#/definitions/LookupListElementBulkResponse' headers: {} definitions: QueryResult: type: 'object' properties: status: type: 'string' description: 'Status of the query (e.g., success, fail).' data: type: 'object' properties: resultType: type: 'string' enum: ['matrix', 'vector', 'scalar', 'string'] description: 'Type of the result.' result: type: 'array' items: type: 'object' required: ['metric', 'value'] properties: metric: type: 'object' additionalProperties: type: 'string' description: 'Labels identifying the metric.' value: type: 'array' items: type: 'string' minItems: 2 maxItems: 2 description: 'The actual data point returned by the query, with timestamp and value.' RangeQueryResult: type: 'object' properties: status: type: 'string' description: 'Status of the query (e.g., success, fail).' data: type: 'object' properties: resultType: type: 'string' enum: ['matrix'] description: 'Type of the result.' result: type: 'array' items: type: 'object' required: ['metric', 'values'] properties: metric: type: 'object' additionalProperties: type: 'string' description: 'Labels identifying the metric.' values: type: 'array' items: type: 'array' items: type: 'string' minItems: 2 maxItems: 2 description: 'A list of [timestamp, value] pairs returned by the query.' LabelValuesResult: type: 'object' properties: status: type: 'string' description: 'Status of the request (e.g., success, fail).' data: type: 'array' items: type: 'string' description: 'A list of label values returned by the API.' SeriesResult: type: 'object' properties: status: type: 'string' description: 'Status of the request (e.g., success, fail).' data: type: 'array' items: type: 'object' additionalProperties: type: 'string' description: 'An array of objects containing the label name/value pairs which identify each series.' LabelNamesResult: type: 'object' properties: status: type: 'string' description: 'Status of the request (e.g., success, fail).' data: type: 'array' items: type: 'string' description: 'A list of label names returned by the API.' # ::::: SIEM LOOKUPS PagedSearchResponseLookupListElement: type: object properties: total: type: integer format: int32 description: Total number of search results. The results are relvent elements contained in the lookup list. results: type: array items: $ref: '#/definitions/LookupListElement' pagination: $ref: '#/definitions/Pagination' LookupListElement: type: object properties: id: type: integer format: int32 description: ID of the element in the Lookup list. value: type: string minLength: 1 maxLength: 80 description: A single field value. You should ensure that the lookup list contains a list of values all mapped to the same field. example: 54.53.1.1 comment: type: string description: Optional. A place to add a note or additional details about the value. For example, if the value is an IP address, the comment can identify the server. maxLength: 200 example: ABC Server expirationDate: type: integer format: int64 description: Optional. The expiration date and time of the lookup list as UNIX epoch milliseconds. When this parameter is left empty, the lookup list does not expire. LookupListElementCreateRequest: type: object required: - value properties: value: type: string minLength: 1 maxLength: 80 description: A single field value. example: 54.53.1.1 comment: type: string minLength: 0 maxLength: 200 description: Optional. A place to add a note or additional details about the value. For example, if the value is an IP address, the comment can identify the server. example: ABC Server expirationDate: type: integer format: int64 description: Optional. The expiration date and time of the lookup list as UNIX epoch milliseconds. When this parameter is left empty, the lookup list does not expire. LookupList: type: object summary: General indentifiers for the lookup - its ID, name, and description. properties: id: type: string description: GUID of the lookup list. example: 7c985e09-3db6-5dc6-ae33-58403493e13f name: type: string minLength: 1 maxLength: 40 description: Name of the lookup list. description: type: string minLength: 0 maxLength: 400 description: Description of the lookup list. LookupListCreateRequest: type: object properties: name: type: string minLength: 0 maxLength: 40 description: Name of the lookup list. If null, the list will be named `Untitled` followed by the running number. default: Untitled## description: type: string minLength: 0 maxLength: 400 description: A place to add a free text description of the lookup list's purpose, uses and dependencies. PagedSearchResponseLookupList: type: object properties: total: type: integer format: int32 description: Total number of search results. results: type: array items: $ref: '#/definitions/LookupList' pagination: $ref: '#/definitions/Pagination' LookupListsFilter: type: object description: Filter by names that contain a term, by lookup ID, or by both. If both properties are sent, they must both be satsified (`AND` logic). properties: searchTerm: type: string description: Filters for lookup names that contains the search term. example: servers byIds: type: array description: List of lookup IDs. items: type: string LookupListsSearchRequest: type: object properties: filter: $ref: '#/definitions/LookupListsFilter' pagination: $ref: '#/definitions/Pagination' LookupListElementsFilter: type: object description: Filter for elements by value, element ID, or by comments that contain a search term. If multiple properties are sent, they must all be satisfied (`AND` logic). properties: searchTerm: type: string description: Filters for values or comments that contain the search term. example: server byIds: type: array description: Filters by element IDs. items: type: integer format: int32 byValues: type: array description: Filters by exact value. (Looks for elements that match any one of the values in the array.) items: type: string LookupListElementsSearchRequest: type: object properties: filter: $ref: '#/definitions/LookupListElementsFilter' pagination: $ref: '#/definitions/Pagination' LookupListElementBulkResponse: type: object properties: status: type: string enum: - SUCCESS - PARTIAL_FAILED - FAILED description: Returns the status of the request. example: SUCCESS numOfAddedElements: type: integer format: int32 description: Total number of new elements added to the Lookup list. example: 32 numOfMergedElements: type: integer format: int32 description: Total number of elements merged with duplicate values in the existing list. (In other words, the number of existing elements that were updated by the request.) example: 42 # ::::: ACCOUNTS DEFINITIONS WhoAmIV2Response: type: object properties: accountName: type: string description: Name of the account. example: Jean Valjean accountId: type: integer description: ID of the account format: int32 example: 24601 AccountUtilizationSettings: type: object description: Settings for logging metrics on your account utilization, such as used and expected data volume at current indexing rate. properties: frequencyMinutes: type: integer format: int32 description: How often utilization metrics are written to logs, in minutes example: 5 utilizationEnabled: type: boolean description: If utilization metrics are written to logs, `true`. Otherwise, `false`. example: true AccountView: type: object properties: accountId: type: integer format: int32 accountName: type: string accountToken: type: string active: type: boolean esIndexPrefix: description: Prefix of the Elasticsearch Index used to index the data. type: string isFlexible: type: boolean default: false description: >- Indicates whether the plan has **shared volume** enabled. For **Consumption** accounts, this field defaults should be `false`. If `true`, the volume of data that the account can index per calendar day is determined by 2 parameters: `reservedDailyGB` (Required) and `maxDailyGB` (Optional, can be null). If `false`, the volume of data that the account can index per calendar day is determined only by `maxDailyGB`. The parameter `reservedDailyGB` does not apply. example: true x-plan: Subscription reservedDailyGB: type: number format: float x-plan: Subscription description: >- * If **Consumption** account (`isFlexible: false`), this value is always null. * If `isFlexible=false`, this field does not apply. * If `isFlexible=true`, this determines the daily volume in GB reserved for the account. This capacity is guaranteed and cannot be used by any other accounts. example: 3 maxDailyGB: type: number format: float description: >- The maximum volume of data that an account can index per calendar day. * If **Consumption** account (`isFlexible: false`), this value determines the account's soft cap in GB. * If `isFlexible=false` this is the only capacity reserved for use by the account. Cannot be null. * If `isFlexible=true` this is used to limit the account's access to shared volume. Once the data shipped to the account exceeds the account's reserved capacity, the account can continue to index data up to its `maxDailyGB`, as long as shared volume is available. * If null (and `isFlexible=true`), the account is uncapped and can continue to index data as long as shared volume is available. example: 5 x-plan: Subscription retentionDays: type: integer format: int32 description: How long log data is stored and searchable in Kibana, in days. softLimitGB: type: number format: float x-plan: Consumption description: The account's soft limit in GB. If **Subscription** account, this value is always null. DailyUsagesList: type: object properties: usage: type: array items: $ref: '#/definitions/LHDailyCount' TimeBasedAccountUpdateRequest: type: object required: - accountName - sharingObjectsAccounts properties: accountName: type: string description: Name of the account. Allowed characters include letters, numbers, dashes (`-`), dots (`.`), underscores (`_`), and spaces. Special characters such as `<`, `>`, `:`, `\"`, `/`, `\\`, `|`, `?`, `*` are not supported. example: AWS Lambda svr 3 retentionDays: type: integer format: int32 description: This is how long log data is stored and searchable in Kibana, in days. minimum: 1 example: 5 searchable: $ref: "#/definitions/Searchable" accessible: $ref: "#/definitions/Accessible" sharingObjectsAccounts: type: array items: type: integer format: int32 example: 88888 description: IDs of accounts that can access this account's data. The array is required, but can be empty. docSizeSetting: $ref: '#/definitions/DocSizeSetting' utilizationSettings: $ref: '#/definitions/AccountUtilizationSettings' snapsearchRetentionDays: type: integer format: int32 description: Number of days to retain data in the warm tier. Minimum value is 1. example: 7 reservedDailyGB: type: number format: float default: null x-plan: Subscription description: >- * If **Consumption** account (`isFlexible: false`), this value is always null. * If `isFlexible=false`, this field does not apply. Leave it null. * If `isFlexible=true`, this parameter is required. It determines the volume that is reserved for the account. example: 3 maxDailyGB: type: number format: float x-plan: Subscription description: >- The maximum volume of data that an account can index per calendar day. * If **Consumption** account (`isFlexible: false`), this value is always null. * If `isFlexible=false` this parameter can only be used to update a sub account, but not a main account. It determines the only capacity reserved for use by the account. It cannot be null. * If `isFlexible=true` this is used to limit the account's access to shared volume. Once the data shipped to the account exceeds the account's reserved capacity, the account can continue to index data up to its `maxDailyGB`, as long as shared volume is available. * If null (and `isFlexible=true`), the account is uncapped and can continue to index data as long as shared volume is available. example: 5 softLimitGB: type: number format: float description: >- If **Subscription** account, this value is always null. Indicates the account's soft cap in GB. x-plan: Consumption DetailedTimeBasedAccount: type: object properties: subAccountRelation: $ref: '#/definitions/SubAccountRelation' account: $ref: '#/definitions/AccountView' sharingObjectsAccounts: type: array items: $ref: '#/definitions/AccountView' utilizationSettings: $ref: '#/definitions/AccountUtilizationSettings' dailyUsagesList: $ref: '#/definitions/DailyUsagesList' docSizeSetting: $ref: '#/definitions/DocSizeSetting' snapsearchRetentionDays: type: integer format: int32 description: Number of days to retain data in the warm tier. Minimum value is 1. example: 7 LHDailyCount: type: object properties: date: type: integer format: int64 bytes: type: integer format: int64 TimeBasedAccountCreateRequest: type: object required: - accountName - email - sharingObjectsAccounts - retentionDays properties: email: type: string pattern: "^[_A-Za-z0-9-\\+]+(\\.[_A-Za-z0-9-]+)*@[A-Za-z0-9-]+(\\.[A-Za-z0-9-]+)*(\\.[A-Za-z]{2,})$" description: Account administrator's email address example: help@logz.io accountName: type: string description: Name of the account. Allowed characters include letters, numbers, dashes (`-`), dots (`.`), underscores (`_`), and spaces. Special characters such as `<`, `>`, `:`, `\"`, `/`, `\\`, `|`, `?`, `*` are not supported. example: AWS Lambda svr 3 retentionDays: type: integer format: int32 description: How long log data is stored and searchable in Kibana, in days. minimum: 1 example: 5 searchable: $ref: "#/definitions/Searchable" accessible: $ref: "#/definitions/Accessible" sharingObjectsAccounts: type: array items: type: integer format: int32 example: 88888 description: IDs of accounts that can access this account's data. The array is required, but can be empty. docSizeSetting: $ref: '#/definitions/DocSizeSetting' utilizationSettings: $ref: '#/definitions/AccountUtilizationSettings' isFlexible: type: boolean default: false x-plan: Subscription reservedDailyGB: type: number format: float default: null x-plan: Subscription description: >- * If **Consumption** account (`isFlexible: false`), this value is always null. * If `isFlexible=false`, don't send this field or send it null. * If `isFlexible=true`, this parameter is required. It determines the volume that is reserved for the account. example: 3 maxDailyGB: type: number format: float x-plan: Subscription description: >- The maximum volume of data that an account can index per calendar day. * If **Consumption** account (`isFlexible: false`), this value determines the account's soft cap in GB. * If `isFlexible=false` this is the only capacity reserved for use by the account. Cannot be null. * If `isFlexible=true` this is used to limit the account's access to shared volume. Once the data shipped to the account exceeds the account's reserved capacity, the account can continue to index data up to its `maxDailyGB`, as long as shared volume is available. * If null (and `isFlexible=true`), the account is uncapped and can continue to index data as long as shared volume is available. example: 5 softLimitGB: type: number format: float description: >- If **Subscription** account, this value is always null. Indicates the account's soft cap in GB. x-plan: Consumption SharingAccount: type: object properties: accountId: type: integer format: int32 description: ID of the account example: 88888 accountName: type: string description: Name of the account example: dev group 8 SubAccountRelation: type: object description: Properties of the sub accounts related to this main account properties: ownerAccountId: type: integer format: int32 description: ID of the main account example: 88765 subAccountId: type: integer format: int32 description: ID of the sub account example: 89234 searchable: $ref: "#/definitions/Searchable" accessible: $ref: "#/definitions/Accessible" createdDate: type: integer format: int64 description: >- Date this account was created. example: 1627489797000 lastUpdatedDate: type: integer format: int64 description: >- Date this account was last updated. example: 1627489797000 lastUpdaterUserId: type: integer format: int32 description: ID of the user who last updated this account example: 33342 type: type: string enum: - OWNER_ACCOUNT - SUB_ACCOUNT - TIMELESS_INDEX - ALL description: Account type example: SUB_ACCOUNT TimeBasedAccount: type: object properties: accountId: type: integer format: int64 description: ID of the account example: 99999 email: type: string description: Email address of the user who created the account example: null accountName: type: string description: Name of the account example: 404 errors retentionDays: type: integer format: int32 description: How long log data is retained in the Elasticsearch Index and searchable in Kibana, in days. example: 5 searchable: $ref: "#/definitions/Searchable" accessible: $ref: "#/definitions/Accessible" docSizeSetting: $ref: '#/definitions/DocSizeSetting' sharingObjectsAccounts: type: array items: $ref: '#/definitions/SharingAccount' description: Accounts that have permissions to access this account's Kibana objects. utilizationSettings: $ref: '#/definitions/AccountUtilizationSettings' isOwner: type: boolean default: false description: If the account is an owner account, `true`. Otherwise, `false`. example: false snapsearchRetentionDays: type: integer format: int32 description: Number of days to retain data in the warm tier. Minimum value is 1. example: 7 isFlexible: type: boolean default: false x-plan: Subscription description: >- Indicates whether the plan has **shared volume** enabled. For `Consumption` accounts, this field defaults should be `false`. If `true`, the volume of data that the account can index per calendar day is determined by 2 parameters: `reservedDailyGB` (Required) and `maxDailyGB` (Optional, can be null). If `false`, the volume of data that the account can index per calendar day is determined only by `maxDailyGB`. The parameter `reservedDailyGB` does not apply and should be null. example: true reservedDailyGB: type: number format: float default: null x-plan: Subscription description: >- Daily reserved capacity in GB. * If **Consumption** account (`isFlexible: false`), this value is always null. * If `isFlexible=false`, this field does not apply and will be null. * If `isFlexible=true`, this determines the daily volume in GBs that is reserved for the account, given as an integer. maxDailyGB: type: number format: float x-plan: Subscription description: >- The maximum volume of data that an account can index per calendar day. * If **Consumption** account (`isFlexible: false`), this value determines the account's soft cap in GB. * If `isFlexible=false` this is the only capacity reserved for use by the account. Cannot be null. * If `isFlexible=true` this is used to limit the account's access to shared volume. Once the data shipped to the account exceeds the account's reserved capacity, the account can continue to index data up to its `maxDailyGB`, as long as shared volume is available. * If null (and `isFlexible=true`), the account is uncapped and can continue to index data as long as shared volume is available. example: 5 isCapped: type: boolean default: false x-plan: Subscription description: >- * If **Consumption** account (`isFlexible: false`), this value is always null. * If `isFlexible=false`, this field does not apply and will be `false`. * If `isFlexible=true`, this field determines whether the account is capped by GB. If the account is capped, `true`. example: false totalTimeBasedDailyGB: type: number format: float x-plan: Subscription description: >- * If **Consumption** account (`isFlexible: false`), this value is always null. * If `isFlexible=false`, this field does not apply and will be `null`. * If `isFlexible=true`, this determines the account plan volume in GB. example: 5.0 sharedGB: type: number format: float x-plan: Subscription description: >- * If **Consumption** account (`isFlexible: false`), this value is always null. * If `isFlexible=false`, this field does not apply and will be `null`. * If `isFlexible=true`, this determines the shareable volume in GB. example: 5.0 softLimitGB: type: number format: float description: >- If **Subscription** account, this value is always null. Indicates the account's soft cap in GB. x-plan: Consumption TimeBasedAccountCreationResponse: type: object properties: accountId: type: integer format: int32 description: ID of the account example: 99999 Searchable: type: boolean description: If other accounts can search this account's logs, `true`. Otherwise, `false`. default: false example: true Accessible: type: boolean description: If users of the main account can access this account, `true`. Otherwise, `false`. default: false example: false DocSizeSetting: type: boolean description: Adds a LogSize field to each log to record the size in bytes, to better manage the account utilization. default: false example: true snapsearchRetentionDays: type: integer format: int32 description: Number of days to retain data in the warm tier. Minimum value is 1. example: 7 # ::::: CLOUD SIEM DEFINITIONS AlertEventLogsSearchRequest: type: object required: - filter properties: filter: $ref: '#/definitions/RuleEventLogsFilter' pagination: $ref: '#/definitions/Pagination' RuleEventLogsFilter: type: object description: Filter by the event's unique GUID to retrieve only the logs relevant to the event under investigation. required: - alertEventId properties: alertEventId: type: string description: Unique GUID of the security event in Logz.io Cloud SIEM. The GUID is returned in the results when querying to fetch security events or by inspecting an event log in the [UI](https://app.logz.io/#/dashboard/security/research/discover?) under the field `logzio-alert-event-id`. example: 833203f9-de71-5a12-9083-9055a6d925bb Pagination: type: object description: Default pagination is a page of 25 results. Look for the `total` field in the response for the number of available results overall, and use the pagination function to page through the results. properties: pageNumber: type: integer format: int32 description: If you overshoot the page number, it will return empty with no results, but it won't fail the request. default: 1 example: 1 pageSize: type: integer format: int32 description: Controls the number of results per page. Valid inputs are 1 to 1000. maximum: 1000 default: 25 example: 100 PagedSearchResponseMapStringObject: type: object properties: total: description: Returns the total number of logs linked to the security event specified in the query. This number is fixed and not affected by pagination. type: integer format: int32 example: 5 results: type: array description: >- Array of logs returned in answer to the query. The logs are returned in their entirety and parsed. If the logs are no longer retained in the database, the request will return empty. You can check your account's log retention policy in your [log monitoring account](https://app.logz.io/#/dashboard/settings/usage-and-billing). items: type: object example: {Array of logs} #additionalProperties: # type: object pagination: $ref: '#/definitions/Pagination' PagedSearchResponseTriggeredAlert: type: object properties: total: type: integer format: int32 description: The total number of events returned by the query. The total entities found after filtering and sorting. This number is fixed and not affected by pagination. example: 500 results: type: array items: $ref: '#/definitions/TriggeredAlert' pagination: $ref: '#/definitions/Pagination' PagedEdithResponseTriggeredResponse: type: array properties: id: type: string description: Unique identifier for the alert or event. example: 1234e5a6-1d1d-12a3-a1fa-b12345b6b7a8 alertEventId: type: string description: Identifier for the specific alert event. example: ac1f234f-12da-123d-1ecc-12ed3ccbac45 title: type: string description: Title of the alert. example: Auth0 - Account blocked due to repeated failed login attempts description: type: string description: Detailed description of the alert. example: An account was blocked due to 10 failed login attempts from the same IP address. severity: type: string description: Alert severity level (e.g., INFO, MEDIUM). example: MEDIUM status: type: string description: Current status of the alert (e.g., NEW, RESOLVED). example: ASSIGNED assignee: type: integer format: int32 description: User ID of the person assigned to the alert. example: 1234567 triggeredAt: type: integer format: int64 description: Timestamp (in seconds since epoch) when the alert was triggered. example: 1734517694.888000000 updatedAt: type: integer format: int64 description: Timestamp (in seconds since epoch) when the alert was last updated. example: 1735046340.774085000 updatedBy: type: integer format: int32 description: User ID of the person who last updated the alert. example: 12345 comment: type: string description: Comment associated with the alert. example: This is a comment. commentedBy: type: integer format: int32 description: User ID of the person who added the comment. example: 12323 alertDefinitionId: type: integer format: int32 description: Identifier for the alert definition. example: 3245176 count: type: integer format: int32 description: Number of occurrences of the alert. example: 1 lastTriggeredAt: type: integer format: int64 description: Timestamp (in seconds since epoch) when the alert was last triggered. example: 1734517694.888000000 type: type: string description: Type of alert (e.g., GROUP, ALERT_EVENT). example: ALERT_EVENT groupingType: type: string description: Grouping method for the alert (e.g., ALERT_BASED). example: ALERT_BASED PagedSearchResponseTriggeredResponse: type: object properties: total: type: integer format: int32 description: The total number of events returned by the rule search query. The total entities found after filtering and sorting. This number is fixed and not affected by pagination. example: 500 results: type: array items: $ref: '#/definitions/TriggeredRule' pagination: $ref: '#/definitions/Pagination' TriggeredAlert: type: object properties: alertId: type: integer format: int32 description: Unique identifier of the security rule in Logz.io Cloud SIEM. Equivalent to the log field `logzio-alert-definition-id` example: 453345 name: type: string description: Name of the security rule in Logz.io Cloud SIEM example: AWS EC2 - Brute force SSH login attempts description: type: string description: Typically an explanation of the security rule's logic and suggested next steps example: Suggested next steps... alertSummary: type: string description: Equivalent to the `condition` field in the rule example: Alert if query '*' results GREATER_THAN_OR_EQUALS 5.00 in 10 minutes. Count on Group By '[userIdentity.userName, sourceIPAddress]' eventDate: type: integer format: int64 description: UNIX timestamp in seconds showing when the rule's conditions were met and the event was triggered example: 1587860455 alertWindowStartDate: type: integer format: int64 description: UNIX timestamp in seconds of the earliest log that triggered the rule to log an event. It usually takes several logs under certain conditions to trigger a security rule. example: 1587856855 alertWindowEndDate: type: integer format: int64 description: UNIX timestamp in seconds of the latest log that triggered the rule to log an event. It usually takes several logs under certain conditions to trigger a security rule. example: 1587860455 severity: type: string enum: - INFO - LOW - MEDIUM - HIGH - SEVERE description: Severity of the security event as determined by the security rule's definition example: SEVERE alertEventId: type: string description: Unique identifier of the security event in Logz.io Cloud SIEM. Equivalent to the log field `logzio-alert-event-id` example: 27cdcf45-ae12-581a-809e-17a6bbc9ae07 groupBy: type: object description: A map object. Array of field:value pairs (key-value pairs) used by the security rule to aggregate results. Security rules can apply `groupBy` conditions to aggregate results by up to 3 fields. The fields differ rule by rule. example: {"source_ip": "122.17.45.15", "hostname":"hostname1234" } #additionalProperties: # type: map # maximum: 3 # description: The fields differ by rule. There can be 1-3 fields. tags: type: array description: Tags are labels used to organize security rules. example: threat items: type: object example: { network_threat, recon} hits: type: integer format: int32 description: Hits represent the number of logs that triggered the security rule before being aggregated by the `groupBy` condition. example: 30 isMuted: type: boolean description: Describes whether a specific returned alert event is muted. example: true TriggeredRule: type: object properties: alertId: type: integer format: int32 description: Unique identifier of the security rule in Logz.io Cloud SIEM. Equivalent to the log field `logzio-alert-definition-id` example: 453345 name: type: string description: Name of the security rule in Logz.io Cloud SIEM example: AWS EC2 - Brute force SSH login attempts description: type: string description: Typically an explanation of the security rule's logic and suggested next steps example: Suggested next steps... alertSummary: type: string description: Equivalent to the `condition` field in the rule example: Alert if query '*' results GREATER_THAN_OR_EQUALS 5.00 in 10 minutes. Count on Group By '[userIdentity.userName, sourceIPAddress]' eventDate: type: integer format: int64 description: UNIX timestamp in seconds showing when the rule's conditions were met and the event was triggered example: 1587860455 alertWindowStartDate: type: integer format: int64 description: UNIX timestamp in seconds of the earliest log that triggered the rule to log an event. It usually takes several logs under certain conditions to trigger a security rule. example: 1587856855 alertWindowEndDate: type: integer format: int64 description: UNIX timestamp in seconds of the latest log that triggered the rule to log an event. It usually takes several logs under certain conditions to trigger a security rule. example: 1587860455 severity: type: string enum: - INFO - LOW - MEDIUM - HIGH - SEVERE description: Severity of the security event as determined by the security rule's definition example: SEVERE alertEventId: type: string description: Unique identifier of the security event in Logz.io Cloud SIEM. Equivalent to the log field `logzio-alert-event-id` example: 27cdcf45-ae12-581a-809e-17a6bbc9ae07 groupBy: type: object description: A map object. Array of field:value pairs (key-value pairs) used by the security rule to aggregate results. Security rules can apply `groupBy` conditions to aggregate results by up to 3 fields. The fields differ rule by rule. example: {"source_ip": "122.17.45.15", "hostname":"hostname1234" } #additionalProperties: # type: map # maximum: 3 # description: The fields differ by rule. There can be 1-3 fields. tags: type: array description: Tags are labels used to organize security rules. example: threat items: type: object example: { network_threat, recon} hits: type: integer format: int32 description: Hits represent the number of logs that triggered the security rule before being aggregated by the `groupBy` condition. example: 30 isMuted: type: boolean description: Describes whether a specific returned alert event is muted. example: true mitreTags: type: array items: type: string description: Tags used for classifying, discussing, and interpreting security incidents. This feature is currently under development. AlertsEventsEditRequest: type: object properties: filter: $ref: '#/definitions/RulesEventsEdit' summary: Edit rules. AlertsEventsSearchRequest: type: object properties: filter: $ref: '#/definitions/RulesEventsFilter' summary: Filter by rule name, rule severity, or time range. sort: description: Explicit sorting rules are not required, but recommended. Otherwise the database will determine the sorting. type: array items: $ref: '#/definitions/RulesEventsSortRequest' pagination: $ref: '#/definitions/Pagination' RulesEventsSortRequest: type: object required: - field properties: field: type: string description: Sort by date and/or severity. Order determines secondary sorting. enum: - DATE - SEVERITY descending: type: boolean default: true description: If left blank, descending sorting will result. If `false` results in ascending sorting. RulesEventsEdit: type: object description: Edit Security rules. properties: id: type: string description: Unique identifier for the alert or event. example: 1234e5a6-1d1d-12a3-a1fa-b12345b6b7a8 alertEventId: type: string description: Identifier for the specific alert event. example: ac1f234f-12da-123d-1ecc-12ed3ccbac45 title: type: string description: Title of the alert. example: Auth0 - Account blocked due to repeated failed login attempts description: type: string description: Detailed description of the alert. example: An account was blocked due to 10 failed login attempts from the same IP address. severity: type: string description: Alert severity level (e.g., INFO, MEDIUM). example: MEDIUM status: type: string description: Current status of the alert (e.g., NEW, RESOLVED). example: ASSIGNED assignee: type: integer format: int32 description: User ID of the person assigned to the alert. example: 1234567 triggeredAt: type: integer format: int64 description: Timestamp (in seconds since epoch) when the alert was triggered. example: 1734517694.888000000 updatedAt: type: integer format: int64 description: Timestamp (in seconds since epoch) when the alert was last updated. example: 1735046340.774085000 updatedBy: type: integer format: int32 description: User ID of the person who last updated the alert. example: 12345 comment: type: string description: Comment associated with the alert. example: This is a comment. commentedBy: type: integer format: int32 description: User ID of the person who added the comment. example: 12323 alertDefinitionId: type: integer format: int32 description: Identifier for the alert definition. example: 3245176 count: type: integer format: int32 description: Number of occurrences of the alert. example: 1 lastTriggeredAt: type: integer format: int64 description: Timestamp (in seconds since epoch) when the alert was last triggered. example: 1734517694.888000000 type: type: string description: Type of alert (e.g., GROUP, ALERT_EVENT). example: ALERT_EVENT groupingType: type: string description: Grouping method for the alert (e.g., ALERT_BASED). example: ALERT_BASED RulesEventsFilter: type: object description: Filter by rule name, rule severity, or time range. properties: searchTerm: type: string example: Falco description: Filter for a matching string in the security rule name. You can manually test your results in the [UI](https://app.logz.io/#/dashboard/security/rules/rule-definitions?from=0&sortBy=updatedAt&sortOrder=DESC). severities: type: array description: Filter by the severities of the security rules. You can manually test your results in the [UI](https://app.logz.io/#/dashboard/security/rules/rule-definitions?from=0&sortBy=updatedAt&sortOrder=DESC). items: type: string example: SEVERE enum: - INFO - LOW - MEDIUM - HIGH - SEVERE timeRange: $ref: '#/definitions/RulesTimeRange' includeMutedEvents: type: boolean example: true description: Defines if muted events need to be passed. The endpoint will return both non-muted and muted events if this is set to `true`. RulesTimeRange: type: object required: - fromDate - toDate description: Add a timerange to filter by event timestamps that fall within the range. If applied, both the earliest and latest thresholds are required. properties: fromDate: type: integer format: int64 example: 1587134557 description: Absolute UNIX timestamp in seconds (not milliseconds). Your security account's retention policy determines the earliest events you'll be able to retrieve. toDate: type: integer format: int64 example: 1587137557 description: Absolute UNIX timestamp in seconds (not milliseconds). PagedSearchResponseSecurityRuleResponse: type: object properties: total: type: integer format: int32 description: The total number of rules returned by the query. The total entities found after filtering and sorting. This number is fixed and not affected by pagination. example: 500 results: type: array items: $ref: '#/definitions/SecurityRuleResponse' pagination: $ref: '#/definitions/Pagination' AlertsSearchRequest: title: Search request Results type: object properties: filter: description: Filter by rule name, severity, and more. If you want to get all rules, just send `filter` as an empty object the payload. $ref: '#/definitions/AlertsFilter' sort: description: Explicit sorting rules are not required, but recommended. Otherwise the database will determine the sorting. $ref: '#/definitions/AlertsSortRequest' pagination: $ref: '#/definitions/Pagination' AlertsSortRequest: type: object required: - field properties: sortByField: type: string description: Sort by a single parameter. enum: - SEVERITY - name - createdAt - updatedAt descending: type: boolean default: true description: If left blank, descending sorting will result. If `false` results in ascending sorting. AlertsFilter: type: object properties: search: type: string description: Searches by rule titles and descriptions that contain the string. severities: type: array items: type: string enum: - INFO - LOW - MEDIUM - HIGH - SEVERE description: List of rule severities, as specified by the security rule's definition example: ["SEVERE", "HIGH"] updatedBy: type: array items: type: string description: Email addresses of the last users to update the rules createdBy: type: array items: type: string description: Email addresses of the user who created the rules. enabledState: type: list of booleans description: true to include enabled rules, false to include disabled rules. An empty list defaults to both enabled and disabled rules. example: [true] emailNotifications: type: array items: type: string description: List of email addresses on the recipients list to receive notifications when the rules trigger. tags: type: array items: type: string description: Tags are labels used to organize security rules # ::::: DEPLOYMENT MARKER DEFINITIONS CreateMarkersRequest: type: object properties: markers: type: array items: $ref: '#/definitions/MarkerDataPoint' MarkerDataPoint: type: object required: - title - description properties: title: type: string description: Specify a marker title, for example, a service name. The title appears in the Deployments list your Exceptions tab. example: ServiceA tag: type: string description: Specify `DEPLOYMENT` for the Deployment marker to appear in the Deployments list in your Exceptions tab. default: OTHER example: DEPLOYMENT enum: - DEPLOYMENT - OTHER timestamp: type: integer format: int64 description: Date of the deployment event, as Unix epoch milliseconds example: 1613311091679 description: type: string description: Add a description to provide additional detail. example: Description with additional context required: true metadata: type: object additionalProperties: type: string example: version: version 5 deployer: iron man description: >- Provides additional metadata with details of the deployment. (Future functionality: Metadata will be used to filter deploymentsby several dimensions. For example, to filter deployments by service and region to focus on deployments performed on a specific service and a specific region. # ::::: Log Insights PublicGetAccountInsightsRequest: type: object properties: startDate: type: integer format: int64 description: UNIX timestamp in milliseconds specifying the start date for the query time frame. By default, returns the past 15 minutes ("now - 15 minutes" translated into a UNIX timestamp). example: 1592904389950 endDate: type: integer format: int64 description: UNIX timestamp in milliseconds specifying the end date for the query time frame. By default, returns the current time ("now" translated into a UNIX timestamp). example: 1592254800000 from: type: integer format: int32 description: Of the results found, the first result to return. Must be a non-negative integer. default: 0 example: 0 size: type: integer format: int32 description: Number of results to return. Must be a positive integer between 1-100. default: 10 maximum: 100 minimum: 1 example: 100 insightTypes: type: array items: type: string enum: - PUBLIC_CI - LOGCEPTION description: Filters results by Insight type. `LOGCEPTION` filters for application insights. `PUBLIC_CI` filters for Cognitive Insights. default: ["PUBLIC_CI", "LOGCEPTION"] example: ["PUBLIC_CI", "LOGCEPTION"] tagNames: type: array items: type: string description: Filters results by the tag values used to categorize Insights. example: logTypes: type: array items: type: string description: Filters results by [log type](/user-guide/log-shipping/built-in-log-types.html). example: ["log-engine", "spark"] onlyNew: type: boolean description: Filters for Insights that first occurred in the selected time frame. In other words, excludes Insights that were first identified before or after the selected time range. default: false example: true sortBy: type: string enum: - FIRST_OCCURRENCE - LAST_OCCURRENCE - COUNT description: Sorts Insights by the selected parameters. default: COUNT example: COUNT asc: type: boolean description: If `false`, sorts Insights in descending order. The order depends on the selected `sortBy` paramater. default: false example: true search: type: string description: Searches for an Insight by its title. example: Exception PageResponsePublicAccountInsightResponse: type: object properties: pageSize: type: integer format: int32 minimum: 0 maximum: 500 description: Number of results to return per page. Must be a positive integer between 0-500. from: type: integer format: int32 minimum: 0 maximum: 2147483647 description: UNIX timestamp in milliseconds. total: type: integer format: int64 minimum: 0 maximum: 500 description: Total number of results found. results: type: array items: $ref: '#/definitions/PublicAccountInsightResponse' PublicAccountInsightResponse: type: object properties: insightId: type: string description: An ID identifying the Insight in Logz.io. Can be used to track the Insight's occurrence in the environment over time. example: "cf484f4c381c3e408a23accc5b487947d2f68791" insightType: type: string enum: - PUBLIC_CI - LOGCEPTION description: Identifies the type of Insight as either `LOGCEPTION` (application insights) or `PUBLIC_CI` (Cognitive Insights). example: PUBLIC_CI tagName: type: string description: Tags applied to the Insight help to categorize it. example: ignite description: type: string description: A helpful description of the issue identified by the Insight. The description is generated by Logz.io. example: A match for the phrase - <'Could not find the language line'> was identified in the log message. As mentioned in the cited links, this may indicate that an issue has taken place that requires your attention. links: type: array items: type: string description: Only applicable for `PUBLIC_CI` Insights. Provides reference links to recommended resources for further investigation of the issue. example: https://github.com/benedmunds/CodeIgniter-Ion-Auth/issues/784 https://www.sitepoint.com/multi-language-support-in-codeigniter/ http://forum.codeigniter.com/thread-383.html https://community.invoiceplane.com/t/topic/3322 https://www.zonwhois.com/www/gwdcanada.com.html additionalData: type: object description: Only applicable for `LOGCEPTION` Insights. Provides relevant excerpts from the stacktrace about the exception in question. additionalProperties: type: object firstOccurrence: type: integer format: int64 description: UNIX timestamp in milliseconds specifying the earliest appearance of the Insight. The lookback period is up to 6 months. example: 1591181276000 lastOccurrence: type: integer format: int64 description: UNIX timestamp in milliseconds specifying the most recent appearance of the Insight in the selected time frame. example: 1591253121194 count: type: integer format: int64 description: The number of times the Insight occurred during the selected time frame. example: 66 logTypes: type: array items: type: string example: ["app-server", "user-analytics"] kibanaLink: type: string description: Only applicable for `LOGCEPTION` Insights. Provides a drill-down link to fetch the raw logs that match the Insight in Kibana Discover. insightTitle: type: string description: The title of the Insight. example: "Could not find the language line create_user_validation_phone_label" # ::::: AUDIT TRAIL DEFINITIONS AuditTrailEventTypesResponse: type: object properties: eventTypes: type: array items: type: string description: Event types in the audit trail example: [ "Added user", "Admin created a sub account", "Changed password", "Failed login", "Login", "Logz.io admin has enabled a sawmill configuration", "Suspended user", "User created a token", "User installed an ELK app" ] AuditEventData: type: object properties: auditEventUser: $ref: '#/definitions/AuditEventUser' date: type: integer format: int64 description: Date of the audit event, as Unix epoch milliseconds example: 1527168668 auditEventTypeTitle: type: string description: The event type example: Admin created a sub account ip: type: string description: IP address of the client device that generated the event example: 52.203.237.249 geoLocation: type: string description: Geographical location of the device that made the request example: New York - USA extraDataList: type: array items: $ref: '#/definitions/AuditEventExtraData' valid: type: boolean AuditEventExtraData: type: object properties: fieldName: type: string description: Name of the field example: Account name oldValue: type: string description: Original value of the field example: Test account newValue: type: string description: New value of the field example: Apache access logs AuditEventTypeData: type: object properties: auditEventType: type: string description: Code for the event type example: Added user auditEventTypeTitle: type: string description: Description of the event type example: Added user AuditEventUser: type: object properties: id: type: integer format: int32 description: ID of the user or token example: 5374 fullName: type: string description: First and last name of the user, or name of the token example: Larry Appleton deleted: type: boolean description: If this user or token has been deleted, `true`. Otherwise, `false`. example: false userToken: type: boolean description: If this is a token, `true`. If this is a user, `false`. AuditTrailFilteredResponse: type: object properties: pageSize: type: integer format: int32 minimum: 0 maximum: 500 description: The number of results requested example: 50 from: type: integer format: int32 minimum: 0 maximum: 2147483647 description: Of the results found, the first result returned. example: 0 total: type: integer format: int64 minimum: 0 maximum: 500 description: Total number of results that met the search criteria. results: type: array items: $ref: '#/definitions/AuditEventData' auditEventUsersList: type: array items: $ref: '#/definitions/AuditEventUser' auditEventTypesList: type: array items: $ref: '#/definitions/AuditEventTypeData' AuditTrailFilterRequest: type: object properties: size: type: integer format: int32 minimum: 0 maximum: 500 default: 500 description: Maximum number of results to return. example: 150 from: type: integer format: int32 minimum: 0 maximum: 2147483647 default: 0 description: Of the results found, the first result to return. example: 15 auditEventUser: $ref: '#/definitions/AuditEventUser' auditEventType: type: string description: Code for the event type example: Added user fromDate: type: integer format: int64 description: Starting timedate, as Unix epoch milliseconds. example: 389880000 toDate: type: integer format: int64 description: Ending timedate, as Unix epoch milliseconds. example: 414763200 sortDescending: type: boolean description: To sort results in descending order, `true`. For ascending order, `false`. includeFiltersData: type: boolean # ::::: CLOUDTRAIL DEFINITIONS CloudTrailResponse: type: object properties: id: type: integer format: int32 description: Logz.io ID of the CloudTrail connector. Use this ID to perform operations on the connector using Logz.io API endpoints. example: 15 accessKey: type: string description: AWS S3 access key example: ee07df5801500745419c6dff bucket: type: string description: AWS S3 bucket name example: cloudtrails bucket prefix: type: string description: Prefix of the AWS S3 bucket example: AWSLogs/7364988021587/myprefix active: type: boolean description: If `true`, the CloudTrail connector is active and logs are being shipped to Logz.io. If `false`, the connector is disabled. example: true IdBean: type: object properties: id: type: integer format: int32 readOnly: true minimum: 1 description: Logz.io ID of the CloudTrail connector. Use this ID to perform operations on the connector using Logz.io API endpoints. CloudTrailRequest: type: object properties: accessKey: type: string description: AWS S3 access key example: ee07df5801500745419c6dff secretKey: type: string description: AWS secret access key example: 506d891fe2163a511b450eddc3279539f6 bucket: type: string description: AWS S3 bucket name example: LogzioBucket prefix: type: string description: Prefix of the AWS S3 bucket example: AWSLogs/7364988021587/myprefix active: type: boolean description: If `true`, the CloudTrail connector is active and logs are being shipped to Logz.io. If `false`, the connector is disabled. MessageBean: type: object properties: message: type: string readOnly: true # ::::: S3 DEFINITIONS S3BucketRequest: type: object required: - bucket - region - logsType properties: accessKey: type: string description: AWS S3 bucket access key example: ee07df5801500745419c6dff secretKey: type: string description: AWS S3 bucket secret key example: 506d891fe2163a511b450eddc3279539f6 arn: type: string description: Amazon Resource Name (ARN) to uniquely identify the S3 bucket. To generate a new ARN, create a new IAM Role in your AWS admin console. bucket: type: string description: AWS S3 bucket name example: AWS bucket prefix: type: string description: Prefix of the AWS S3 bucket example: AWSLogs/7364988021587/myprefix active: type: boolean default: true description: If `true`, the S3 bucket connector is active and logs are being shipped to Logz.io. If `false`, the connector is disabled. example: true addS3ObjectKeyAsLogField: type: boolean default: false description: If `true`, enriches logs with a new field detailing the S3 object key. example: true region: type: string description: Specify one supported AWS region. enum: - US_EAST_1 - US_EAST_2 - US_WEST_1 - US_WEST_2 - EU_WEST_1 - EU_WEST_2 - EU_WEST_3 - EU_CENTRAL_1 - AP_NORTHEAST_1 - AP_NORTHEAST_2 - AP_SOUTHEAST_1 - AP_SOUTHEAST_2 - SA_EAST_1 - AP_SOUTH_1 - CA_CENTRAL_1 logsType: type: string enum: - elb - vpcflow - S3Access - cloudfront description: Specify the log type you will be sending to Logz.io. As a result, Logz.io will apply the appropriate parsing pipeline. [Learn more about parsing options supported by Logz.io](/user-guide/log-shipping/built-in-log-types.html). example: elb S3BucketResponse: type: object required: - bucket - region - logsType properties: accessKey: type: string description: AWS S3 bucket access key example: ee07df5801500745419c6dff secretKey: type: string description: AWS S3 bucket secret key example: 506d891fe2163a511b450eddc3279539f6 arn: type: string description: Amazon Resource Name (ARN) to uniquely identify the S3 bucket. To generate a new ARN, create a new IAM Role in your AWS admin console. bucket: type: string description: AWS S3 bucket name example: AWS bucket prefix: type: string description: Prefix of the AWS S3 bucket example: AWSLogs/7364988021587/myprefix active: type: boolean default: true description: If `true`, the S3 bucket connector is active and logs are being fetched to Logz.io. If `false`, the connector is disabled. example: true addS3ObjectKeyAsLogField: type: boolean default: false description: If `true`, enriches logs with a new field detailing the S3 object key. example: true region: type: string description: Specify one supported AWS region. enum: - US_EAST_1 - US_EAST_2 - US_WEST_1 - US_WEST_2 - EU_WEST_1 - EU_WEST_2 - EU_WEST_3 - EU_CENTRAL_1 - AP_NORTHEAST_1 - AP_NORTHEAST_2 - AP_SOUTHEAST_1 - AP_SOUTHEAST_2 - SA_EAST_1 - AP_SOUTH_1 - CA_CENTRAL_1 logsType: type: string enum: - elb - vpcflow - S3Access - cloudfront description: Specifies the log type being sent to Logz.io. Determines the parsing pipeline used to parse and map the logs. [Learn more about parsing options supported by Logz.io](/user-guide/log-shipping/built-in-log-types.html). example: elb AWSAssumeRoleDetails: type: object properties: logzioAWSAccountId: type: string description: Logz.io account ID. Provide this account ID when creating a new AWS IAM Role. example: assignedExternalId: type: string description: Logz.io external ID. Provide this external ID when creating a new AWS IAM Role. example: # ::::: NOTIFICATION ENDPOINTS DEFINITIONS EndpointUpsertResponse: type: object properties: id: type: integer format: int32 description: "ID of the notification endpoint. If the API call was made where `test=true`, then no changes are made to the endpoint. In this case, the response body contains `{\"id\": -1}` to indicate that a test message was sent." example: 88 SlackEndpointUpsertRequest: type: object properties: title: type: string description: Name of the endpoint example: New Slack endpoint description: type: string description: Detailed description of the endpoint example: Sends notifications to logzio-alerts channel url: type: string description: Your Slack webhook URL example: https://hooks.slack.com/services/REDACTED/REDACTED/REDACTED CustomEndpointUpsertRequest: type: object properties: title: type: string description: Name of the endpoint example: New custom endpoint description: type: string description: Detailed description of the endpoint example: Sends notifications to my custom endpoint url: type: string description: URL where the notification will be sent example: https://my.custom-endpoint.com method: type: string description: The HTTP used to send the notification example: POST headers: type: string description: Header parameters to include, as comma-separated key-value pairs example: authKey=6e30-60a9-3591 bodyTemplate: type: object description: JSON object that serves as the template for the message body. additionalProperties: type: object example: {"subject": "Alert from Logz.io", "message": {"severity": "LOW", "body": "Check Logz.io for log activity"}} PagerDutyEndpointUpsertRequest: type: object properties: title: type: string description: Name of the endpoint example: PagerDuty endpoint description: type: string description: Detailed description of the endpoint example: Sends notifications to PagerDuty serviceKey: type: string description: API key from PagerDuty example: 94ad63254a1397a51a1ae340c4f10890 BigPandaEndpointUpsertRequest: type: object properties: title: type: string description: Name of the endpoint example: BigPanda endpoint description: type: string description: Detailed description of the endpoint example: Sends notifications to BigPanda apiToken: type: string description: API authentication token from BigPanda example: 94ad63254a1397a51a1ae340c4f10890 appKey: type: string description: Application key from BigPanda example: c687f9231619d7d7b959f33e4cc821a5 DatadogEndpointUpsertRequest: type: object properties: title: type: string description: Name of the endpoint example: Datadog endpoint description: type: string description: Detailed description of the endpoint example: Sends notifications to Datadog apiKey: type: string description: API key from Datadog example: c687f9231619d7d7b959f33e4cc821a5 VictoropsEndpointUpsertRequest: type: object required: - messageType - routingKey - serviceApiKey properties: title: type: string description: Name of the endpoint example: VictorOps endpoint description: type: string description: Detailed description of the endpoint example: Sends notifications to VictorOps routingKey: type: string description: Alert routing key from VictorOps example: devops messageType: type: string description: VictorOps REST API `message_type`. For more information, see [VictorOps knowledge base](https://help.victorops.com/knowledge-base/victorops-restendpoint-integration/). example: WARNING serviceApiKey: type: string description: API key from VictorOps example: c687f9231619d7d7b959f33e4cc821a5 Endpoint: type: object properties: endpointType: type: string enum: - BigPanda - Slack - Datadog - Custom - PagerDuty - VictorOps - Opsgenie - ServiceNow - Microsoft Teams description: The notification endpoint type that will receive alert messages example: Slack id: type: integer format: int32 description: ID of the notification endpoint example: 88 title: type: string description: Name of the endpoint example: Slack description: type: string description: Detailed description of the endpoint example: Endpoint for sending alerts to Slack OpsGenieEndpointUpsertRequest: type: object properties: title: type: string description: Name of the endpoint example: OpsGenie endpoint description: type: string description: Detailed description of the endpoint example: Sends notifications to OpsGenie apiKey: type: string description: API key from OpsGenie, see https://docs.opsgenie.com/docs/logz-io-integration example: c687f9231619d7d7b959f33e4cc821a5 ServiceNowEndpointUpsertRequest: type: object properties: title: type: string description: Name of the endpoint example: New ServiceNow endpoint description: type: string description: Detailed description of the endpoint example: Sends notifications to logzio-alerts channel username: type: string description: ServiceNow user name example: User password: type: string description: ServiceNow password example: Password url: type: string description: Provide your instance URL to connect to your existing ServiceNow instance, i.e. https://xxxxxxxxx.service-now.com/. example: https://my.custom-endpoint.com MicrosoftTeamsEndpointUpsertRequest: type: object properties: title: type: string description: Name of the endpoint example: New Microsoft Teams endpoint description: type: string description: Detailed description of the endpoint example: Sends notifications to logzio-alerts channel url: type: string description: Your Microsoft Teams webhook URL, see https://docs.microsoft.com/en-us/microsoftteams/platform/webhooks-and-connectors/how-to/add-incoming-webhook example: https://my.custom-endpoint.com # ::::: KIBANA IMPORT/EXPORT DEFINITIONS KibanaExportResponse: type: object properties: kibanaVersion: type: string readOnly: true description: The version of Kibana used at the time of export example: 4.0.0-beta3 hits: type: array readOnly: true items: type: object description: Exported Kibana objects KibanaExportRequest: type: object required: - type properties: type: type: string enum: - search - visualization - dashboard - query description: The object type to export KibanaImportResponse: type: object properties: created: type: array readOnly: true items: type: string example: E-commerce-App-Transactions-overtime description: Name of Kibana objects that were created updated: type: array readOnly: true items: type: string example: HTTP-Response-over-time description: Names of the Kibana objects that were overwritten. Objects are shown here only if `override` was `true` in the import call. ignored: type: array readOnly: true items: type: string example: Transaction-overtime description: Names of the Kibana objects that were not overwritten. Objects are shown here only if `override` was `false` in the import call. failed: type: array readOnly: true items: type: string example: Apache-Response-Over-Time description: Names of the Kibana objects that could not be created, updated, or ignored. KibanaImportRequest: type: object properties: kibanaVersion: type: string description: The version of Kibana used at the time of export. This must match the current version of Kibana that you're importing to. example: 4.0.0-beta3 override: type: boolean description: >- To update an existing object with the same ID, `true`. Otherwise, `false`. If override is `true`, response message shows overwritten objects as `updated`. If override is `false`, no existing objects are updated, and response message shows these objects as `ignored`. example: false hits: type: array items: type: object additionalProperties: type: object description: >- Each JSON object in the array represents a discrete Kibana object. **Note:** As a best practice, import only objects that were exported from Kibana. # ::::: SEARCH, SCROLL DEFINITIONS ScrollResponse: type: object properties: code: type: integer format: int32 readOnly: true example: 200 scrollId: type: string readOnly: true description: Keep passing this ID in the request until you've retrieved all of the results. Copy this ID and pass it as the field `scroll_id` in a request to the same endpoint to retrieve the next page of results. (Remember to first clear the request body of all other parameters. The `scrollId` is valid for 20 minutes.) example: DnF1ZXJ5VGhlbkZldGNoCQAAAAAWXRbqFlNpSWRrTUtXUUR1N1pJbG9uSkJINncAAAAAFp6B-xZTTVFrMGt4eVFnZXhQZV9YbVRrU3NnAAAAABakA8QWNjY1RUZtdWZRS1NZZWt1ZERTNHNaQQAAAAAWXRbrFlNpSWRrTUtXUUR1N1pJbG9uSkJINncAAAAAFl0W7BZTaUlka01LV1FEdTdaSWxvbkpCSDZ3AAAAABQ1nb4WVjRyRlUxZWRUU0dzbTV5VVVqYkhxdwAAAAAUdHVqFlF0b3Znei1ZUXgtZEkyZkR3M0pMbGcAAAAAFvGs6hZKVklxaXIyZ1NOQzF5NHg1cmhtVDV3AAAAABR0dWkWUXRvdmd6LVlReC1kSTJmRHczSkxsZw== hits: type: string readOnly: true description: Query results in stringified JSON format. 'hits' are the total number of logs that match the query. ScrollRequest: type: object properties: query: type: object description: >- Add a search query to receive the `scrollID` in the result. The query can take any of the parameters described in the [Elasticsearch Search API DSL documentation](https://www.elastic.co/guide/en/elasticsearch/reference/6.8/search.html) with the exceptions stated below. You can only add the `query` parameters if you are not passing the `scroll_id` in the request. #### Limitations * The query can only run on 2 consecutive indexes. By default, the query runs on data sent today and yesterday. You can also add a filter on `timestamp` to search a smaller time frame. * When using `query_string`, `allow_leading_wildcard` must be set to `false` to disable leading wildcards. In other words, the query can't start with `*` or `?` * Can't use `fuzzy_max_expansions`, `max_expansions`, or `max_determinized_states` size: type: integer format: int32 description: Number of results to return default: 10 maximum: 1000 example: 50 from: type: integer format: int32 minimum: 0 description: Of the results found, the first result to return. example: 0 sort: type: array items: type: object description: >- #### Limitations * Can't sort on analyzed fields, such as the `message` field _source: type: object description: >- The object `includes` specifies an array of strings specifying an array of fields to return. * If you omit `_source` from the request, all fields are returned. * If you pass `'_source': false`, it will exclude the `_source` field from the results. properties: includes: type: array description: Array of fields to return items: type: string example: [ "message" ] post_filter: type: object scroll: type: string description: >- These time units are supported:

Unit	Description
`m`	minutes
`s`	seconds
`ms`	milliseconds
`micros`	microseconds
`nanos`	nanoseconds

#### Limitations * Time search must be ≤ 5 minutes. If no time is specified, default is `1m` (1 minute). aggregations: type: object description: >- Apply field aggregations. See the [Elasticsearch guide](https://www.elastic.co/guide/en/elasticsearch/reference/6.8/search-aggregations.html) for details. #### Limitations * When using the `size` element, the value must be ≤ `1000` * Can't nest 2 or more bucket aggregations of these types: `date_histogram`, `geohash_grid`, `histogram`, `ip_ranges`, `significant_terms`, `terms` * Can't sort or aggregate on analyzed fields, such as the `message` field * Aggregation type `significant_terms` and `multi_terms` can't be used * If the request specifies aggregations, only the initial search response will contain the aggregations results **Note:** You can use `aggs` or `aggregations` as the field name example: { "byType": { "terms": { "field": "type", "size": 5 } } } # ::::: SHARED TOKENS DEFINITIONS QueryFilter: type: object required: - field - value properties: id: type: integer format: int32 description: ID of the shared token filter example: 339 field: type: string pattern: '^[a-zA-Z0-9_@.-]+$' description: The field to filter value: type: string pattern: '^[a-zA-Z0-9_@.-]+$' description: The filter query description: type: string description: Name of the filter example: 503 responses SharedToken: type: object properties: id: type: integer format: int32 description: ID of the shared token example: 1241 name: type: string description: Descriptive name of the token example: Snapshotting token token: type: string description: The token example: 6c36edf51-cf93883aa35-5bc6ce6-7bcfe60d87 filters: type: array uniqueItems: true items: type: integer format: int32 description: Array of filter IDs attached to each token. If no filter is attached, `null`. example: [339, 340] lastUsed: type: array uniqueItems: true items: type: integer format: int64 description: UNIX timestamp in milliseconds. If token wasn't in use, `null`. example: 1735743699.000000000 expirationDate: type: array uniqueItems: true items: type: integer format: int64 description: UNIX timestamp in milliseconds. If token doesn't have expiration date, `null`. example: 1735743699.000000000 filtersOperator: type: array uniqueItems: true items: type: string description: Logical operator used to combine filters. Possible values can be `OR` or `AND`. example: "OR" CreateSharedTokenRequest: type: object properties: tokenName: type: string default: string description: Name of the token example: Support team token filters: type: array uniqueItems: true items: type: integer format: int32 description: IDs of filters to attach to the token example: [ 339 ] filtersOperator: type: array uniqueItems: true items: type: string description: Logical operator used to combine filters. Possible values can be `OR` or `AND`. example: "OR" UpdateSharedTokenRequest: type: object required: - filters properties: filters: type: array uniqueItems: true items: type: integer format: int32 description: ID of the filter example: 339 description: IDs of filters to attach to the token. To remove all filters, use an empty array `[]`. filtersOperator: type: array uniqueItems: true items: type: string description: Logical operator used to combine filters. Possible values can be `OR` or `AND`. example: "OR" # ::::: API TOKENS DEFINITIONS ApiTokenResponse: type: object properties: id: type: integer format: int32 description: ID of the newly created API token for the sub account example: 7386 name: type: string description: The name of the newly created API token for the sub account. Uses the name provided in the request. example: newTokenTest999 token: type: string description: The API token example: c498fbc3-a3ac-4676-ad09-689854b5cbbd" createdAt: type: integer format: int64 description: The time at which the new sub account API token was created example: 1621858311.000000000 CreateApiTokenRequest: type: object properties: name: type: string default: string description: The name provided in the request for a new API token for the sub account example: newTokenTest999 accountId: type: integer format: int32 description: Logz.io sub account ID. example: 160343 # ::::: SNAPSHOTS DEFINITIONS SnapshotCreateResponse: type: object properties: snapshotId: type: integer format: int32 description: ID of the snapshot example: 2049 SnapshotCreateRequest: type: object required: - snapshotSavedObjectId - snapshotTimeZone - snapshotType - timeFrameFrom - timeFrameTo properties: snapshotType: type: string enum: - DASHBOARD - VISUALIZATION description: The object type to share snapshotSavedObjectId: type: string description: ID of the object to share. If you don't know the object ID, you can use the [/kibana/export](#operation/exportSavedObjects) endpoint. example: 11f6a669-4f21-6313-dd83-319dbfc8ff96 slackWebhookUrls: type: array items: type: string description: >- URLs of Slack webhooks that you want to send this snapshot to.
At least one of `emails`, `slackWebhookUrls`, and `endpoints` is required with each request. If all three are missing, the request will fail. example: ["https://hooks.slack.com/services/REDACTED/REDACTED/REDACTED"] endpoints: type: array items: type: integer format: int32 description: >- IDs of notification endpoints that you want to send this snapshot to
At least one of `emails`, `slackWebhookUrls`, and `endpoints` is required with each request. If all three are missing, the request will fail. emails: type: array items: type: string description: >- Email addresses that you want to send this snapshot to
At least one of `emails`, `slackWebhookUrls`, and `endpoints` is required with each request. If all three are missing, the request will fail. message: type: string description: Message to send to the shared object recipients example: Take a look at these Apache logs, let me know if you want me to do anything about it timeFrameFrom: type: integer format: int64 description: Starting timedate of the visualization, as a Unix epoch integer. example: 389836800 timeFrameTo: type: integer format: int64 description: Ending timedate of the visualization, as a Unix epoch integer. example: 414720000 snapshotTimeZone: type: string description: Time zone to use in `timeFrameFrom` and `timeFrameTo` example: UTC queryString: type: string description: Search query example: "type:example" darkTheme: type: boolean description: To send the object with Kibana dark theme colors, `true`. Otherwise, `false`. SnapshotGetResponse: type: object properties: snapshotId: type: integer format: int32 description: ID of the snapshot example: 3094 accountId: type: integer format: int32 description: ID of the account example: 5555 snapshotType: type: string enum: - DASHBOARD - VISUALIZATION description: The object type example: VISUALIZATION status: type: string enum: - SUCCESS - FAILED - IN_PROGRESS description: Status of the snapshot capture operation example: SUCCESS snapshotSavedObjectName: type: string description: Name of the object captured in the snapshot example: Mysql response times percentiles imageUrl: type: string description: Web address where the snapshot image is stored example: https://snapshotter-logzio-prod.s3.amazonaws.com/1234/567890/snapshots/8843_3094_dC6pBjbrWc1lfN7Gob82oJuSUxTGbm8D6hDE1TcR1pVzIVO0TsB3tuZEZs1YpOGh.png appLinkUrl: type: string description: A link to the snapshot in the Logz.io app example: https://app.logz.io/#/dashboard/kibana?kibanaRoute=%2Fvisualize%2Fedit%a4d365e001-5bc9-4851-1933-a70b45a67e9d%3F_g%3D%2528time%253A%2528from%253A%25272018-06-02T15 message: type: string description: Message to send to snapshot recipients example: Hey, let me know if you need me to do anything about this. timeFrameFrom: type: integer format: int64 description: Starting timedate of the visualization, as a Unix epoch integer. example: 389836800 timeFrameTo: type: integer format: int64 description: Ending timedate of the visualization, as a Unix epoch integer. example: 414720000 snapshotTimeZone: type: string description: Time zone to use in `timeFrameFrom` and `timeFrameTo` example: UTC SnapshotNotification: type: object properties: id: type: integer format: int32 type: type: string enum: - EMAIL - SLACK address: type: string status: type: string enum: - PENDING - IN_WORK - NEED_RETRY - FAILED - SUCCESS SnapshotRequest: type: object properties: id: type: integer format: int32 snapshotType: type: string enum: - DASHBOARD - VISUALIZATION - SAVED_SEARCH snapshotSavedObjectName: type: string snapshotUrl: type: string appLinkUrl: type: string recipients: type: array items: $ref: '#/definitions/SnapshotNotification' message: type: string timeFrameFrom: type: integer format: int64 timeFrameTo: type: integer format: int64 snapshotTimeZone: type: string # ::::: USER MANAGEMENT DEFINITIONS User: type: object properties: id: type: integer format: int32 description: ID of the user example: 33265 username: type: string description: Email address used to sign in to Logz.io example: steve@winslows.com fullName: type: string description: First and last name of the user example: Stefan Urkel accountID: type: integer format: int32 description: Logz.io account ID. example: 55555 role: type: string description: User role. Can be `USER_ROLE_READONLY`, `USER_ROLE_REGULAR` or `USER_ROLE_ACCOUNT_ADMIN`. example: USER_ROLE_READONLY active: type: boolean description: If the user is active, `true`. If the user is suspended, `false`. example: true UserManagementUpsertResponse: type: object properties: id: type: integer format: int32 description: ID of the user example: 13485 UserManagementUpsertRequest: type: object required: - fullName - username - roles - accountID properties: username: type: string pattern: >- ^[_A-Za-z0-9-\+]+(\.[_A-Za-z0-9-]+)*@[A-Za-z0-9-]+(\.[A-Za-z0-9-]+)*(\.[A-Za-z]{2,})$ description: Email address used to sign in to Logz.io. This property cannot be updated. A new user will need to be created for each email address. example: drvenkman@gbusters.com fullName: type: string description: The user's first and last name example: Peter Venkman accountID: type: integer format: int32 description: ID of the account attached to the user role: type: string description: User role. Can be `USER_ROLE_READONLY`, `USER_ROLE_REGULAR` or `USER_ROLE_ACCOUNT_ADMIN`. example: USER_ROLE_READONLY # ::::: DROP FILTERS DropFiltersCreateRequest: type: object required: ["fieldConditions"] properties: logType: type: string description: Filters for the [log type](/user-guide/log-shipping/built-in-log-types.html). example: apache description: type: string description: Description of the drop filter example: Drop all logs with response code 500 fieldConditions: type: array items: $ref: '#/definitions/FieldCondition' thresholdInGB: type: number format: double description: >- The threshold in GB for the drop filter. If the total size of the logs that match the filter exceeds this threshold, the logs are dropped before indexing.
If not specified, the default is `0`, which means that all logs that match the filter are dropped. example: 10.5 FieldCondition: type: object properties: fieldName: type: string description: Exact field name in your Kibana mapping for the selected `logType`. example: response value: type: object description: Exact field value. The filter looks for an exact value match of the entire string. example: 200 LogsDropFiltersPipelineDefinition: type: object properties: id: type: string description: Drop filter ID in the Logz.io database. You can run the `/v1/drop-filters/search` endpoint to retrieve the IDs of all the drop filters in the account. example: f54406c1-b4ad-5969-8542-f6a3e9df5c79 active: type: boolean description: If `true`, the drop filter is active and logs that match the filter are dropped before indexing. If `false`, the drop filter is disabled. example: true logType: type: string description: Filters for the [log type](/user-guide/log-shipping/built-in-log-types.html). example: apache description: type: string description: Description of the drop filter example: Drop all logs with response code 500 fieldConditions: type: array description: Filters for an exact match of a field:value pair. items: $ref: '#/definitions/FieldCondition' thresholdInGB: type: number format: double description: >- The threshold in GB for the drop filter. If the total size of the logs that match the filter exceeds this threshold, the logs are dropped before indexing.
If not specified, the default is `0`, which means that all logs that match the filter are dropped. example: 10.5 # ::::: Archive DEFINITIONS ArchiveSettings: type: object required: - storageType properties: storageType: type: string enum: - S3 - BLOB description: Specifies the storage provider. If `S3`, the `amazonS3StorageSettings` are relevant. If `BLOB`, the `azureBlobStorageSettings` are relevant. example: S3 enabled: type: boolean description: If `true`, archiving is currently enabled. default: true example: true compressed: type: boolean description: If `true`, logs are compressed before they are archived. default: true example: true amazonS3StorageSettings: description: Applicable settings when the `storageType` is `S3`. $ref: '#/definitions/S3StorageSettings' azureBlobStorageSettings: description: Applicable settings when the `storageType` is `Blob`. $ref: '#/definitions/BlobSettings' ArchiveSettingsResponse: type: object properties: id: type: integer format: int32 description: Unique ID of the archive settings. example: 323 settings: $ref: '#/definitions/ArchiveSettings' BlobSettings: type: object description: Applicable settings when the `storageType` is `Blob`. For detailed instructions about setting up a storage container in Azure and locating the required parameters, [click here](/user-guide/archive-and-restore/azure-blob-permissions/). required: - tenantId - clientId - clientSecret - accountName - containerName properties: tenantId: type: string description: Azure Directory (tenant) ID. The Tenant ID of the AD app. Go to Azure Active Directory > App registrations and select the app to see it. clientId: type: string description: Azure application (client) ID. The Client ID of the AD app, found under the App Overview page. Go to Azure Active Directory > App registrations and select the app to see it. clientSecret: type: string description: Azure client secret. Password of the Client secret, found in the app's Certificates & secrets page. Go to Azure Active Directory > App registrations and select the app. Then select Certificates & secrets to see it. accountName: type: string description: Azure Storage account name. Name of the storage account that holds the container where the logs will be archived. containerName: type: string description: Name of the container in the Storage account. This is where the logs will be archived. path: type: string nullable: true description: Optional virtual sub-folder specifiying a path within the container. Logs will be archived under the path “{container-name}/{virtual sub-folder}”. Avoid leading and trailing slashes (/). For example, the prefix “region1” is good, but “/region1/” is not. S3IamCredentials: type: object properties: arn: type: string description: Amazon Resource Name (ARN) to uniquely identify the S3 bucket. S3SecretCredentials: type: object required: - accessKey - secretKey description: Authentication with S3 Secret Credentials is supported for backward compatibility. IAM roles are strongly recommended. properties: accessKey: type: string secretKey: type: string S3StorageSettings: type: object required: - credentialsType - path description: Applicable settings when the `storageType` is `S3`. properties: credentialsType: description: Specifies which credentials will be used for authentication. The options are either `KEYS` with `s3SecretCredentials`, or `IAM` with `s3IamCredentials`. type: string enum: - IAM - KEYS path: type: string description: >- Specify a path to the **root** of the S3 bucket. (Currently, archiving to a sub-bucket is supported, but not restoring from one.) **Unique buckets** - It is important to archive each account/sub-account to a separate S3 bucket. s3SecretCredentials: $ref: '#/definitions/S3SecretCredentials' s3IamCredentials: $ref: '#/definitions/S3IamCredentials' TestStorageRequest: type: object properties: id: type: integer format: int32 archiveSettings: $ref: '#/definitions/ArchiveSettings' # ::::: SHIPPING TOKENS DEFINITIONS ShippingTokensModel: type: object properties: name: type: string description: This token's name. example: apac prod id: type: integer format: int32 description: This token's ID. example: 786351 token: type: string description: The token itself. example: 6bLXmMA6FLibc7ySSqNcCfvbhtqT0rPS updatedAt: type: string description: Unix timestamp of when this token was last updated. example: 414720000 updatedBy: type: string description: Email address of the last user to update this token. example: shalom.the.mighty@gmail.com createdAt: type: string description: Unix timestamp of when this token was created. example: 389836800 createdBy: type: string description: Email address of the user who created this token. example: you.got.this@gmail.com enabled: type: boolean description: If this token is enabled, `true`. If it's disabled, `false`. ShippingTokensRequest: type: object properties: name: type: string description: Descriptive name for this token. example: staging eu enabled: type: boolean default: true description: To enable this token, `true`. To disable, `false`. ShippingTokensLimitsResponse: type: object properties: maxAllowedTokens: type: integer format: int32 description: The number of log shipping tokens this account can have. example: 50 numOfEnabledTokens: type: integer format: int32 description: The number of log shipping tokens currently enabled for this account. example: 27 ShippingTokensSearchRequest: type: object properties: filter: $ref: '#/definitions/ShippingTokensFilterRequest' sort: type: array description: Sorts the results before returning them. items: $ref: '#/definitions/ShippingTokensSortRequest' pagination: $ref: '#/definitions/Pagination' ShippingTokensSortRequest: type: object properties: field: type: string enum: - createdAt - name description: >- To sort by creation date, use `"createdAt"`. To sort by name, use `"name"`. example: name descending: type: boolean description: >- For descending order, use `true`. For ascending order, use `false`. ShippingTokensFilterRequest: type: object required: - enabled description: Filters your search for token attributes. properties: enabled: type: boolean description: >- Set to `true` to filter for enabled tokens. Set to `false` to filter for disabled tokens. PagedSearchResponseShippingTokensModel: type: object properties: total: type: integer format: int32 results: type: array items: $ref: '#/definitions/ShippingTokensModel' pagination: $ref: '#/definitions/Pagination' # ::::: Alert DEFINITIONS Aggregation: type: object description: Specifies a trigger condition that acts as a threshold. properties: aggregationType: type: string description: >- Specifies the aggregation operator. * If `COUNT`, `fieldToAggregateOn` must be null, and `groupBy` fields must not be empty. * If `NONE`, `fieldToAggregateOn` must be null, and `groupBy` field must not be empty (or null). * If `PERCENTAGE`, `valueToAggregateOn` must be specified. * If any other operator type (other than `NONE` or `COUNT`), `fieldToAggregateOn` must not be null. enum: - SUM - MIN - MAX - AVG - COUNT - UNIQUE_COUNT - NONE - PERCENTAGE - PERCENTILE fieldToAggregateOn: type: string description: >- Selects the field on which to run the aggregation for the trigger condition. * Cannot be a field already in use for `groupBy`. valueToAggregateOn: type: string description: >- Used by the `PERCENTAGE` aggregation to select the field’s value. This value is used to determine if its ratio out of the total amount of logs in the query satisfies the trigger condition. * Only relevant for the `PERCENTAGE` aggregation. AlertV2Response: type: object properties: id: type: integer format: int32 description: Logz.io alert ID. example: 627816 updatedAt: type: string description: Date and time in UTC when the alert was last updated. example: 2020-04-02T18:58:16.000Z updatedBy: type: string description: Email of the user who last updated the alert. example: tomer@logz.io createdAt: type: string description: Date and time in UTC when the alert was first created. example: 2020-02-02T18:58:16.000Z createdBy: type: string description: Email of the user who first created the alert. example: tomer@logz.io enabled: type: boolean description: If `true`, the alert is currently active. exampe: true title: type: string description: Alert title. example: Excessive WARN levels in PROD description: type: string description: A description of the event, its significance, and suggested next steps or instructions for the team. example: Steps to remediate... tags: type: array items: type: string description: Tags for filtering alerts and triggered alerts. Can be used in Kibana Discover, dashboards, and more. example: [network, aws] output: $ref: '#/definitions/AlertOutput' searchTimeFrameMinutes: type: integer minimum: 5 maximum: 1440 format: int32 description: >- The time frame for evaluating the log data is a sliding window, with 1 minute granularity. The recommended minimum and maximum values are not validated, but needed to guarantee the alert's accuracy. The minimum recommended time frame is 5 minutes, as anything shorter will be less reliable and unnecessarily resource-heavy. The maximum recommended time frame is 1440 minutes (24 hours). The alert runs on the index from today and yesterday (in UTC) and the maximum time frame increases throughout the day, reaching 48 hours exactly before midnight UTC. subComponents: type: array description: Determines when the alert should trigger using any combination of a search query, filters, group by aggregations, accounts to search, and trigger conditions. items: $ref: '#/definitions/SubAlert' correlations: $ref: '#/definitions/SubAlertCorrelation' schedule: type: object description: Defines the intervals in which an alert will be evaluated. This feature is still in production, but the payload already contains the data. properties: cronExpression: type: string description: Cron job for the intervals schedule. timezone: type: string description: Time zone for the cron job. If no time zone is selected, UTC will be used by default. sendToAll: type: boolean default: false description: If `true`, a single email will be sent to all email addresses. AlertOutput: type: object description: Automatically sends out notifications with sample results when the alert triggers. properties: recipients: $ref: '#/definitions/AlertRecipients' suppressNotificationsMinutes: type: integer format: int32 minimum: 5 maximum: 1440 description: Add a waiting period in minutes to space out notifications. (The alert will still trigger but will not send out notifications during the waiting period.) example: 60 type: type: string description: Selects the output format for the alert notification. If the alert has no aggregations/group by fields, `JSON` offers the option to send full sample logs without selecting specific fields. enum: - JSON - TABLE AlertQuery: type: object description: Determines when the alert should trigger using any combination of a search query, filters, group by aggregations, accounts to search, and trigger conditions. properties: query: type: string description: >- Provide a Kibana search query written in Lucene syntax. The search query together with the filters select for the relevant logs. Cannot be null - send an asterisk wildcard `*` if not using a search query. default: "*" nullable: false example: type:apache_access filters: $ref: '#/definitions/BoolFilter' groupBy: type: array nullable: true description: Specify 1-3 fields by which to group the results and count them. If you apply a group by operation, the alert returns a count of the results aggregated by unique values. items: type: string maxItems: 3 minItems: 0 aggregation: $ref: '#/definitions/Aggregation' shouldQueryOnAllAccounts: type: boolean default: true example: false description: Only applicable when the alert is run from the main account. If `true`, the alert runs on the main account and all associated searchable sub accounts. If `false`, specify relevant account IDs for the alert to monitor using the `accountIdsToQueryOn` field. accountIdsToQueryOn: type: array description: Specify Account IDs to select which accounts the alert should monitor. The alert will be checked only on these accounts. items: type: integer format: int32 example: 2321 TriggeredAlertsResponse: type: object properties: pageSize: type: integer description: Size of page returned. example: 2 from: type: integer description: Of the results found, the first result to return. example: 1 total: type: integer description: Total number of alerts retrieved. example: 2 results: type: array description: Array of alerts retrieved by the search. items: type: object properties: alertId: type: integer description: Alert ID. example: 1 name: type: string description: Alert name. example: test eventDate: type: number description: Alert date. example: 1523970558.657000000 severity: type: string description: Alert severity example: HIGH AlertRecipients: type: object description: Add email addresses and/or endpoint channels to automatically receive notifications with sample data when the alert triggers. properties: emails: type: array description: Array of email addresses to be notified when the alert triggers. items: type: string example: tom.a@logz.io notificationEndpointIds: type: array description: Array of IDs of pre-configured endpoint channels to notify when the alert triggers. items: type: integer format: int32 AlertSchedule: type: object description: Defines the frequency and the time frame in which an alert will be evaluated. properties: cronExpression: type: string description: Cron job for the intervals schedule. example: "0 0/60 9-17 ? * * *" timezone: type: string description: Time zone for the cron job. If no time zone is selected, UTC will be used by default. example: "America/Sao_Paulo" SubAlert: type: object properties: queryDefinition: $ref: '#/definitions/AlertQuery' trigger: $ref: '#/definitions/AlertTrigger' output: $ref: '#/definitions/SubAlertOutput' SubAlertCorrelation: type: object description: >- Only applicable when multiple sub-components are in use. Selects a logic for correlating the alert’s sub-components. `AND` is currently the only supported operator. When `AND` is the `correlationOperator`, both sub-components must meet their triggering criteria for the alert to trigger. properties: correlationOperators: type: array items: type: string enum: - AND joins: type: array description: >- Specifies which group by fields must have the same values to trigger the alert. Joins the group by fields from the first and second sub-components. The key represents the index of the sub component in the array (See the example - the index of the first sub-component is 0, the second is 1). The fields must be ordered pairs of the group by fields already in use in the `queryDefinition`. items: type: object additionalProperties: example: {0: "region", 1: "region"} default: false SubAlertOutput: type: object description: Selects the data output to be sent in the notification when the alert triggers. Not applicable, when grouping by fields or aggregating results, as the output is auto-selected. properties: columns: type: array items: $ref: '#/definitions/ColumnConfig' shouldUseAllFields: type: boolean description: If `true`, the notification output will include entire logs with all of their fields in the sample data. default: true AlertV2Request: type: object required: - title - subComponents properties: title: type: string description: Alert title example: Excessive WARN levels in PROD description: type: string description: A description of the event, its significance, and suggested next steps or instructions for the team. example: Steps to remediate... tags: type: array items: type: string example: "network" maxItems: 10 minItems: 0 description: Tags for filtering alerts and triggered alerts. Can be used in Kibana Discover, dashboards, and more. output: $ref: '#/definitions/AlertOutput' searchTimeFrameMinutes: type: integer minimum: 5 maximum: 1440 format: int32 description: >- The time frame for evaluating the log data is a sliding window, with 1 minute granularity. The recommended minimum and maximum values are not validated, but needed to guarantee the alert's accuracy. The minimum recommended time frame is 5 minutes, as anything shorter will be less reliable and unnecessarily resource-heavy. The maximum recommended time frame is 1440 minutes (24 hours). The alert runs on the index from today and yesterday (in UTC) and the maximum time frame increases throughout the day, reaching 48 hours exactly before midnight UTC. The default value is 5. example: 20 subComponents: type: array description: Sets the search criteria using a search query, filters, group by aggregations, accounts to search, and trigger conditions. items: $ref: '#/definitions/SubAlert' correlations: $ref: '#/definitions/SubAlertCorrelation' schedule: $ref: '#/definitions/AlertSchedule' enabled: type: boolean description: If `true`, the alert is enabled and active. Default value is `true`. sendToAll: type: boolean default: false description: If `true`, a single email will be sent to all email addresses. AlertTrigger: type: object description: Sets the triggering threshold and severity tab to label the event when the alert triggers. properties: operator: type: string enum: - LESS_THAN - GREATER_THAN - LESS_THAN_OR_EQUALS - GREATER_THAN_OR_EQUALS - EQUALS - NOT_EQUALS example: GREATER_THAN_OR_EQUALS description: Specifies the operator for evaluating the results. severityThresholdTiers: type: object description: >- Sets a severity label per trigger threshold as a key:value pair. If using more than one sub-component, only 1 severityThresholdTiers is allowed. Otherwise, 1 per `enum` are allowed (for a total of 5 thresholds of increasing severities). Increasing severity must adhere to the logic of the operator. enum: - INFO - LOW - MEDIUM - HIGH - SEVERE additionalProperties: default: MEDIUM: 10.0 example: MEDIUM: 10.0 HIGH: 100.0 SEVERE: 300.0 SilenceGetAll: type: object required: - title - subComponents properties: id: type: string description: Unique identifier for the silence. example: e1a111a1-1a10-1caf-ae1b-1111112bf061 status: type: object description: The state of the silence (active or expired). example: active updatedAt: type: string description: Date and time in UTC when the silence was last updated. example: 2020-04-02T18:58:16.000Z comment: type: string description: A description or comment about the silence, its purpose, or any relevant details. example: Created 2025-01-20 14:32 createdBy: type: string description: Name of the user who created the silence. example: John Doe endsAt: type: string description: Date and time in UTC when the silence ends. example: 2025-01-20T14:32:00.839Z matchers: type: array description: List of matchers defining which alerts the silence applies to. items: type: object properties: isEqual: type: string example: true isRegex: type: string example: false name: type: string example: Name1 value: type: string example: test123 startsAt: type: string description: Date and time in UTC when the silence begins. example: 2025-01-20T12:32:12.380Z SilenceCreate: type: object properties: startsAt: type: string description: Date and time in UTC when the silence begins. example: 2025-01-20T12:32:12.380Z endsAt: type: string description: Date and time in UTC when the silence ends. example: 2025-01-20T14:32:00.839Z comment: type: string description: A description or comment about the silence, its purpose, or any relevant details. example: Created 2025-01-20 14:32 createdBy: type: string description: Name of the user who created the silence. example: John Doe matchers: type: array description: List of matchers defining which alerts the silence applies to. items: type: object properties: isEqual: type: string example: true isRegex: type: string example: false name: type: string example: Name1 value: type: string example: test123 BoolFilter: type: object description: Apply `must` and `must_not` filters to the monitoring alert. Filters are more efficient compared to a query, so it's recommended to opt for a filter over a query, where possible. See [Elasticsearch Bool-Query](https://www.elastic.co/guide/en/elasticsearch/reference/6.8/query-dsl-bool-query.html) for more detail. properties: bool: $ref: '#/definitions/FilterLists' ColumnConfig: type: object description: Customize the alert output to be sent out in notifications when the alert triggers. properties: fieldName: type: string description: Specify the fields to be included in the notification. regex: type: string description: Trims the data using regex filters. [Learn more](https://docs.logz.io/user-guide/alerts/regex-filters.html) sort: type: string description: Specify a single field to sort by. The field cannot be an analyzed field (a field that supports free text search or searching by part of a message, such as the 'message' field). enum: - DESC - ASC FilterLists: type: object description: Runs Elasticsearch [Bool Query](https://www.elastic.co/guide/en/elasticsearch/reference/6.8/query-dsl-bool-query.html) filters on the data (before the search query is applied). The most efficient way to grab the logs you are looking for. properties: must: type: array items: type: object properties: match_phrase: type: object properties: Field: type: object properties: query: type: string example: value must_not: type: array items: type: object properties: match_phrase: type: object properties: Field: type: object properties: query: type: string example: value PagedSearchResponseString: type: object properties: total: type: integer format: int32 results: type: array items: type: string pagination: $ref: '#/definitions/Pagination' TagsFilter: type: object properties: searchTerm: type: string TagsSearchRequest: type: object properties: filter: $ref: '#/definitions/TagsFilter' pagination: $ref: '#/definitions/Pagination' # ::::: SIEM RULES - except SecurityRuleRequest/Response - duplicates of alert definitions but with description for rules. do not exist in the swagger RuleOutput: type: object description: Automatically sends out notifications with sample results when the rule triggers. properties: recipients: $ref: '#/definitions/RuleRecipients' suppressNotificationsMinutes: type: integer format: int32 minimum: 5 maximum: 1440 description: Add a waiting period in minutes to space out notifications. (The rule will still trigger but will not send out notifications during the waiting period.) example: 60 type: type: string description: Selects the output format for the rule notification. If the rule has no aggregations/group by fields, `JSON` offers the option to send full sample logs without selecting specific fields. enum: - JSON - TABLE RuleQuery: type: object description: Determines when the rule should trigger using any combination of a search query, filters, group by aggregations, accounts to search, and trigger conditions. properties: query: type: string description: >- Provide a Kibana search query written in Lucene syntax. The search query together with the filters select for the relevant logs. Cannot be null - send an asterisk wildcard `*` if not using a search query. default: "*" nullable: false example: type:apache_access filters: $ref: '#/definitions/BoolFilter' groupBy: type: array nullable: true description: Specify 1-3 fields by which to group the results and count them. If you apply a group by operation, the rule returns a count of the results aggregated by unique values. items: type: string maxItems: 3 minItems: 0 aggregation: $ref: '#/definitions/Aggregation' shouldQueryOnAllAccounts: type: boolean default: true example: false description: Only applicable when the rule is run from the main account. If `true`, the rule runs on the main account and all associated searchable sub accounts. If `false`, specify relevant account IDs for the rule to monitor using the `accountIdsToQueryOn` field. accountIdsToQueryOn: type: array description: Specify Account IDs to select which accounts the rule should monitor. The rule will be checked only on these accounts. items: type: integer format: int32 example: 2321 RuleRecipients: type: object description: Add email addresses and/or endpoint channels to automatically receive notifications with sample data when the rule triggers. properties: emails: type: array description: Array of email addresses to be notified when the rule triggers. items: type: string example: tom.a@logz.io notificationEndpointIds: type: array description: Array of IDs of pre-configured endpoint channels to notify when the rule triggers. items: type: integer format: int32 SubRule: type: object properties: queryDefinition: $ref: '#/definitions/RuleQuery' trigger: $ref: '#/definitions/RuleTrigger' output: $ref: '#/definitions/SubRuleOutput' SubRuleCorrelation: type: object description: >- Only applicable when multiple sub-components are in use. Selects a logic for correlating the rule’s sub-components. `AND` is currently the only supported operator. When `AND` is the `correlationOperator`, both sub-components must meet their triggering criteria for the rule to trigger. properties: correlationOperators: type: array items: type: string enum: - AND joins: type: array description: >- Specifies which group by fields must have the same values to trigger the rule. Joins the group by fields from the first and second sub-components. The key represents the index of the sub component in the array (See the example - the index of the first sub-component is 0, the second is 1). The fields must be ordered pairs of the group by fields already in use in the `queryDefinition`. items: type: object additionalProperties: example: {0: "region", 1: "region"} SubRuleOutput: type: object description: Selects the data output to be sent in the notification when the rule triggers. Not applicable, when grouping by fields or aggregating results, as the output is auto-selected. properties: columns: type: array items: $ref: '#/definitions/ColumnConfig' shouldUseAllFields: type: boolean description: If `true`, the notification output will include entire logs with all of their fields in the sample data. default: true RuleSchedule: type: object description: Defines the frequency and the time frame in which an rule will be evaluated. properties: cronExpression: type: string description: Cron job for the intervals schedule. example: "0 0/60 9-17 ? * * *" timezone: type: string description: Time zone for the cron job. If no time zone is selected, UTC will be used by default. example: "America/Sao_Paulo" SecurityRuleRequest: type: object required: - subComponents properties: title: type: string description: Rule title example: Excessive WARN levels in PROD description: type: string description: A description of the event, its significance, and suggested next steps or instructions for the team. example: Steps to remediate... tags: type: array items: type: string maxItems: 25 minItems: 0 description: Tags for filtering rules and triggered rules. Can be used in Kibana Discover, dashboards, and more. example: network output: $ref: '#/definitions/RuleOutput' searchTimeFrameMinutes: type: integer minimum: 5 maximum: 1440 format: int32 description: >- The time frame for evaluating the log data is a sliding window, with 1 minute granularity. The recommended minimum and maximum values are not validated, but needed to guarantee the rule's accuracy. The minimum recommended time frame is 5 minutes, as anything shorter will be less reliable and unnecessarily resource-heavy. The maximum recommended time frame is 1440 minutes (24 hours). The rule runs on the index from today and yesterday (in UTC) and the maximum time frame increases throughout the day, reaching 48 hours exactly before midnight UTC. example: 20 subComponents: type: array description: Sets the search criteria using a search query, filters, group by aggregations, accounts to search, and trigger conditions. items: $ref: '#/definitions/SubRule' correlations: $ref: '#/definitions/SubRuleCorrelation' enabled: type: boolean description: If `true`, the alert is enabled and active. schedule: $ref: '#/definitions/RuleSchedule' sendToAll: type: boolean default: false description: If `true`, a single email will be sent to all email addresses. rca: type: boolean description: Activate AI Agent analysis (OrionIQ) for the rule. rcaNotificationEndpointIds: type: array items: type: integer description: Notification endpoint IDs for AI Agent analysis (OrionIQ). useAlertNotificationEndpointsForRca: type: boolean description: Whether to use rule notification endpoints for AI Agent analysis (OrionIQ). runbook: type: string description: Runbook instructions to help the AI Agent analysis (OrionIQ) understand how to handle the rule better. mitreTags: type: array items: type: string description: >- Maps this rule to MITRE ATT&CK tactics and techniques. Helps correlate events with known adversary behavior. Tags are saved as MITRE ATT&CK ID, for example: "T0895" , "T1695.001" RuleTrigger: type: object description: Sets the triggering threshold and severity tab to label the event when the rule triggers. properties: operator: type: string enum: - LESS_THAN - GREATER_THAN - LESS_THAN_OR_EQUALS - GREATER_THAN_OR_EQUALS - EQUALS - NOT_EQUALS example: GREATER_THAN_OR_EQUALS description: Specifies the operator for evaluating the results. severityThresholdTiers: type: object description: >- Sets a severity label per trigger threshold as a key:value pair. If using more than one sub-component, only 1 severityThresholdTiers is allowed. Otherwise, 1 per `enum` are allowed (for a total of 5 thresholds of increasing severities). Increasing severity must adhere to the logic of the operator. enum: - INFO - LOW - MEDIUM - HIGH - SEVERE additionalProperties: default: MEDIUM: 10.0 example: MEDIUM: 10.0 HIGH: 100.0 SEVERE: 300.0 RuleColumnConfig: type: object description: Customize the rule output to be sent out in notifications when the rule triggers. properties: fieldName: type: string description: Specify the fields to be included in the notification. regex: type: string description: Trims the data using regex filters. [Learn more](https://docs.logz.io/user-guide/alerts/regex-filters.html) sort: type: string description: Specify a single field to sort by. The field cannot be an analyzed field (a field that supports free text search or searching by part of a message, such as the 'message' field). enum: - DESC - ASC SecurityRuleResponse: type: object properties: id: type: integer format: int32 description: Logz.io security rule ID. example: 627816 updatedAt: type: string description: Date and time in UTC when the rule was last updated. example: 2020-04-02T18:58:16.000Z updatedBy: type: string description: Email of the user who last updated the rule. example: tomer@logz.io createdAt: type: string description: Date and time in UTC when the rule was first created updated. example: 2020-02-02T18:58:16.000Z createdBy: type: string description: Email of the user who first created the rule. example: tomer@logz.io enabled: type: boolean description: If `true`, the rule is currently active. exampe: true title: type: string description: Rule title. example: Excessive WARN levels in PROD description: type: string description: A description of the event, its significance, and suggested next steps or instructions for the team. example: Steps to remediate... tags: type: array items: type: string description: Tags for filtering rules and triggered rules. Can be used in Kibana Discover, dashboards, and more. example: [network, aws] output: $ref: '#/definitions/RuleOutput' searchTimeFrameMinutes: type: integer minimum: 5 maximum: 1440 format: int32 description: >- The time frame for evaluating the log data is a sliding window, with 1 minute granularity. The recommended minimum and maximum values are not validated, but needed to guarantee the rule's accuracy. The minimum recommended time frame is 5 minutes, as anything shorter will be less reliable and unnecessarily resource-heavy. The maximum recommended time frame is 1440 minutes (24 hours). The rule runs on the index from today and yesterday (in UTC) and the maximum time frame increases throughout the day, reaching 48 hours exactly before midnight UTC. subComponents: type: array description: Determines when the rule should trigger using any combination of a search query, filters, group by aggregations, accounts to search, and trigger conditions. items: $ref: '#/definitions/SubRule' correlations: $ref: '#/definitions/SubRuleCorrelation' protected: type: boolean description: >- If `true`, the rule is pre-defined by Logz.io. Protected parameters cannot be edited. The only parameters that can be edited are: * `shouldQueryOnAllAccounts` * `accountIdsToQueryOn` * `severityThresholdTiers` * `tags` * `description` * `enabled` * `output` (in `subComponents`) * `searchTimeFrameMinutes` * `schedule` * `sendToAll` * `rca` * `rcaNotificationEndpointIds` * `useAlertNotificationEndpointsForRca` * `runbook` schedule: $ref: '#/definitions/RuleSchedule' sendToAll: type: boolean description: If `true`, one email will be sent with all email address. default: false rca: type: boolean description: Activate AI Agent analysis (OrionIQ) for the rule. rcaNotificationEndpointIds: type: array items: type: integer description: Notification endpoint IDs for AI Agent analysis (OrionIQ). useAlertNotificationEndpointsForRca: type: boolean description: Whether to use rule notification endpoints for AI Agent analysis (OrionIQ). runbook: type: string description: Runbook instructions to help the AI Agent analysis (OrionIQ) understand how to handle the rule better. mitreTags: type: array items: type: string description: >- Maps this rule to MITRE ATT&CK tactics and techniques. Helps correlate events with known adversary behavior. Tags are saved as MITRE ATT&CK ID, for example: "T1110" , "T1090.003" # ::::: RESTORE FROM ARCHIVE DEFINITIONS RestoreAccountConfiguration: type: object properties: accountId: type: integer format: int32 description: ID of the restored account in Logz.io maxActiveRestoreAccounts: type: integer format: int32 maxInProgressRestoresPerAccount: type: integer format: int32 maxRestoreDurationInHours: type: integer format: int32 accountExpirationTimeInDays: type: integer format: int32 maxVolumeInGB: type: number format: float RestoreApiResponse: type: object properties: id: type: integer format: int32 description: ID of the restore operation in Logz.io example: 42 accountId: type: integer format: int32 description: ID of the restored account in Logz.io example: 564321 accountName: type: string description: Name of the restored account example: My account name restoredVolumeGb: type: number format: float description: Volume of data restored so far. If the restore operation is still in progress, this will be continuously updated. example: 99 status: type: string enum: - IN_PROGRESS - ACTIVE - LIMIT_EXCEEDED - ABORTED - FAILED - DELETED - EXPIRED description: >- Returns the current status of the restored account. - IN_PROGRESS - Data is being restored and is not yet available for querying or searching in Kibana. - ACTIVE - The restored account is active and available for searching and querying in Kibana. Be sure to search the data in its original timestamp. - LIMIT_EXCEEDED - The data exceeded 100 GB and caused the restore action to fail. - ABORTED - A user aborted the restore operation before it completed. Only one account can be restored at a time. - FAILED - The restored account failed to restore the data. - DELETED - The restored account was deleted by a user. - EXPIRED - Restored accounts automatically expire after a number of days, as indicated by `expiresAt`. example: ACTIVE startTime: type: integer format: int64 description: UNIX timestamp in milliseconds specifying the earliest logs to be restored. example: 1589947200.000000000 endTime: type: integer format: int64 description: UNIX timestamp in milliseconds specifying the latest logs to be restored. example: 1589954400.000000000 createdAt: type: integer format: int64 description: Timestamp when the restore process was created and entered the queue. (Since only one account can be restored at a time, the process may not initiate immediately.) example: 1591902426.000000000 startedAt: type: integer format: int64 description: UNIX timestamp in milliseconds when the restore process initiated. example: 1591902428.000000000 finishedAt: type: integer format: int64 description: UNIX timestamp in milliseconds when the restore process completed. example: 1591902461.000000000 expiresAt: type: integer format: int64 description: UNIX timestamp in milliseconds specifying when the account is due to expire. Restored accounts expire automatically after a number of days, as specified in the account's terms. example: 1592334461.000000000 RestoreApiRequest: type: object properties: accountName: type: string description: Name of the restored account example: My account name startTime: type: integer format: int64 description: UNIX timestamp in milliseconds specifying the earliest logs to be restored. example: 1589947200.000000000 endTime: type: integer format: int64 description: UNIX timestamp in milliseconds specifying the latest logs to be restored. example: 1589954400.000000000 RestoreRequest: type: object properties: accountName: type: string description: Name of Account example: archiveSettingsId: type: integer format: int32 description: Archive Settings Id example: startTime: type: integer format: int64 description: Restore Start Time example: endTime: type: integer format: int64 description: Restore End Time example: AccountViewV3: type: 'object' properties: accountId: type: 'integer' format: 'int32' accountName: type: 'string' type: type: 'string' enum: - 'OWNER_ACCOUNT' - 'SUB_ACCOUNT' - 'TIMELESS_INDEX' - 'METRICS_ACCOUNT' - 'RESTORE_ACCOUNT' - 'SECURITY_ACCOUNT' - 'TRACING_ACCOUNT'