Ingesting and retrieving logs with REST APIs

The following section provides a list of supported endpoints and an overview about running these endpoints. Before you run an endpoint, you must authenticate yourself. For more information, see  Access and authentication for the REST API

You can ingest logs to BMC Helix Log Analytics and retrieve logs for searching, mapping, and other functions.

POST

 Ingest logs to BMC Helix Log Analytics
Request URL
https://<Your BMC Helix Portal URL>/log-service/api/v1.0/logs
Example request URL
https://HostA.bmc.com/log-service/api/v1.0/logs
Request Header
Content-Type: application/json
Authorization: Bearer <JWT_token> OR apiKey <API key>  
Request body
{
			valid JSON to ingest logs
}
Example - request body
[{
 "input": {
 "type": "log"
 },
 "timestamp": "1596022563000",
 "auth": "-",
 "@timestamp": "2020-08-12T13:36:09.947Z",
 "agent": {
 "type": "filebeat",
 "id": "e2043b6b-03b4-45a8-8122-a5bf7da71b4e",
 "hostname": "host name",
 "ephemeral_id": "46c17863-3ae5-4d30-99fb-8d92706a0119",
 "version": "7.7.1"
 },
 "ident": "-",
 "httpversion": "1.1",
 "@version": "1",
 "request": "/",
 "bytes": "590",
 "response": "401",
 "ecs": {
 "version": "1.5.0"
 },
 "tags": ["beats_input_codec_plain_applied"],
 "log": {
 "offset": 0,
 "file": {
 "path": "<file path>"
 }
 },
 "verb": "GET",
 "host": {
 "os": {
 "family": "windows",
 "version": "10.0",
 "platform": "windows",
 "build": "14393.3750",
 "kernel": "10.0.14393.3750 (rs1_release.200601-1853)",
 "name": "Windows Server 2016 Standard"
 },
 "mac": ["00:50:56:8f:32:8c", "00:00:00:00:00:00:00:e0", "00:00:00:00:00:00:00:e0"],
 "id": "317c191e-b88f-4e58-844d-e0158dce6d6a",
 "name": "host name",
 "architecture": "x86_64",
 "ip": ["fe80::85b5:401b:ae4d:9fcc", "<IP address>", "fe80::5efe:a85:b236", "2001:0:348b:fb58:c57:ec66:3f0a:5ddb", "fe80::c57:ec66:3f0a:5ddb"],
 "hostname": "host name"
 },
 "message": "[29/Jul/2020:17:06:03 +0530] \"GET / HTTP/1.1\" 401 590"
}]

Successful response

All records are accepted and queued to move to Elasticsearch.

Unsuccessful responses

Scenario 1: No records ingested

  • Check URL and API key in the http plugin.
  • Check index pattern exists. If not, create a new index pattern and ensure that the name starts in the following pattern - log-xx_r14_v1*. The value of xx is available in the name suggestions.

Scenario 2: Unable to log on to BMC Helix Log Analytics

Contact BMC Support.

Scenario 3: Unable to add filters by using fields

In place of the data type icon of a field, if you see the '?' sign, refresh the field list on the index pattern page (Management > Index pattern > index pattern name).


Response codes

CodeMessageDescription
200Queued

All records are accepted and queued to move to Elasticsearch.

206Partially queued

Some records are queued. Contact BMC Support.

401Authentication has failed

Verify the API key and tenant registration.

413Data validation failed for all records.

All records have more than 200 fields.

422You have reached the maximum limit to store log data in a day in your trial environment. To get license, contact BMC Support.
Or
You have reached the maximum limit to store log data in a day. To increase the limit, contact BMC Support.

Log limit has exceeded.

500Unable to connect to server.

All log records are not accepted.

GET 
 Get list of fields
Request URL
https://<Your BMC Helix Portal URL>/log-service/api/v1.0/logs/mapping
Example request URL
https://HostA.bmc.com/log-service/api/v1.0/logs/mapping
Request Header
Content-Type: application/json
Authorization: Bearer <JWT_token> OR apiKey <API key>  

Successful response

List of available fields is returned.

Unsuccessful responses

Unable to log on to BMC Helix Log Analytics

Contact BMC Support.

Response codes

CodeMessageDescription
200JSON that includes list of fields

Successfully received all the fields.

401Authentication has failed

Verify JWT.

500Unable to connect to server.

No fields are received. Contact BMC Support.

POST

 Search logs

You can search logs by sending single or multiple queries.

Request URL
https://<Your BMC Helix Portal URL>/log-service/api/v1.0/logs/msearch
Example request URL
https://HostA.bmc.com/log-service/api/v1.0/logs/msearch
Request Header
Content-Type: application/json
Authorization: Bearer <JWT_token>  
Request body
{
   valid JSON queries in the ndjson format
}
Example - request body
[{
 {"from":0,"size":100,"query":{"match_all":{}}}
 {"from":0,"size":100,"query":{"match_all":{}}}
}]

Successful response

Search result is returned.

Unsuccessful responses

Scenario 1: Unable to log on to BMC Helix Log Analytics

Contact BMC Support.

Scenario 2: Incorrect request body

Ensure that the query is correct.


Response codes

CodeMessageDescription
200Details of query results returned, like total, skipped, failed, and successful records.

Search result is returned.

400

Bad request.

Verify request header, JSON format of the query, and request body.
401Authentication has failed

Verify JWT.

500Unable to connect to server.

No records are received. Contact BMC Support.


Was this page helpful? Yes No Submitting... Thank you

Comments