To find your account region, sign in to Layerlog and look at the URL in the address bar. Your API URL has the same two-letter code that you see in the address bar when you're logged in.
For more information, see Account region.
The Layerlog API is available to Pro and Enterprise plan subscribers. You can generate and delete API tokens in your Layerlog account.
You can manage your API tokens from the Layerlog API tokens page.
API tokens are account-specific. You will need to be logged into the relevant Log Management or SIEM account to view the API tokens associated with it.
To manage your API tokens, log into the relevant account in your Layerlog platform, click the gear in the top-right menu, and select Tools > Manage tokens > API tokens.
It's important to keep your tokens secure. API tokens carry privileges to make changes to users and accounts, so if you believe an API token has been compromised, delete it, and replace it with a new token in your integrations.
| Security Scheme Type | API Key |
|---|---|
| Header parameter name: | X-API-TOKEN |
API call and response rates are limited to 100 concurrent API requests per account. To verify your rate limits or request changes to your plan, please contact your account manager or the Customer Success Team.
Use the Elasticsearch Search API DSL query language to search your Layerlog data.
To ensure system performance and data availability, we've introduced some limitations to the original Elasticsearch specification. These limitations are detailed in the applicable API calls below.
US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Searches your account data using the Elasticsearch Search API DSL query language.
total: This call returns up to 1,000 results per query for aggregated results, or 10,000 results for non-aggregated results.
Note: To ensure speed and availability of your logs, we restrict some options from the Elasticsearch defaults that could hamper system performance. Restrictions are described with their respective elements below.
| dayOffset | integer >= 0 Slide the 2-day search time range by x days. For example, if set to Maximum is your account's retention period. If set to |
| accountIds | integer ID of the sub account to search. By default, only this account is searched. A main account can search a sub account as long as it has the right permissions. To give search permissions to the main account, log in to the main account, go to the Manage accounts page, and select Searchable from the main account for the intended sub account. To include multiple accounts, repeat this parameter for each account (for example: Important: If you include an account without the right permissions, the request will fail. If you include this parameter, the current account won't be searched unless you explicitly include it in the query. |
| query required | object The query can take any of the parameters described in the Elasticsearch Search API DSL documentation with the exceptions stated below. Limitations
Notes on the search time range
|
| from | integer >= 0 Default: 0 Of the results found, the first result to return. |
| size | integer <= 10,000 Default: 10 Number of results to return |
| sort | Array of objects Limitations
|
| _source | object The object
|
| post_filter | object A filter applied after the aggregations have been calculated. Useful for reusing a single query to calculate several outputs with different filtering criteria. See the Elasticsearch guide for details. |
| docvalue_fields | Array of objects Powers inverted indexing. Allows queries to look up the search term in unique sorted list of terms, for faster access to the list of documents that contain the term. See the Elasticsearch guide for details. |
| version | boolean Returns a version for each result. See the Elasticsearch guide for details. |
| stored_fields | array of strings Useful for querying for fields that don’t appear in the _source field or querying for larger documents by date or title. See the Elasticsearch guide for details. |
| highlight | object Highlight strings in one or more fields in your search results. See the Elasticsearch guide for details. |
| aggregations | object Apply field aggregations. See the Elasticsearch guide for details. Limitations
Note: You can use |
successful query. hits are the total number of logs that match the query, which will always be in the 0-2 day range. total are the actual logs that are returned when using the query, which are not limited by the selected time range.
{- "query": {
- "bool": {
- "must": [
- {
- "range": {
- "@timestamp": {
- "gte": "now-5m",
- "lte": "now"
}
}
}
]
}
}, - "from": 0,
- "size": 0,
- "sort": [
- { }
], - "_source": false,
- "post_filter": null,
- "docvalue_fields": [ ],
- "version": true,
- "stored_fields": [
- "*"
], - "highlight": { },
- "aggregations": {
- "byType": {
- "terms": {
- "field": "type",
- "size": 5
}
}
}
}"{\n \"hits\": {\n \"total\": 339604,\n \"max_score\": 0.0,\n \"hits\": [ ]\n },\n \"aggregations\": {\n \"byType\": {\n \"doc_count_error_upper_bound\": 0,\n \"sum_other_doc_count\": 44879,\n \"buckets\": [\n {\n \"key\": \"web-app\",\n \"doc_count\": 163690\n }, {\n \"key\": \"core-service\",\n \"doc_count\": 64893\n }\n ]\n }\n }\n}"US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
This endpoint can take 2 types of call requests. The first type runs a search query that returns a scrollID and the first batch of paginated results. The second request type passes only the scroll_id (The variation in the field name is intentional) to fetch the next batches of paginated results. This endpoint always returns results as a stringified JSON.
How it works:
First, send a request to establish the scrollID. This initial request contains the query object and additional parameters, similar to the v1/search endpoint, with the exception that dayOffset and accountIds are not supported. The request will return the field scrollId and the number of hits, representing the number of matching results.
Next, send the scroll_id in the request body to retrieve the log results as a stringified JSON. Each call returns the next page, where each page can return a maximum of 1000 results. Every time you resend the same scroll_id in the request body, it returns the next page until it reaches the end of the results.
Every time you send the request with the same scroll_id, the next batch of results is returned. Keep sending the same scroll ID as many times as needed to retrieve all of the available results. The results are paginated, and every request returns the next page, one at a time.
When the call returns an empty array, you'll know you've reached the end of your results.
Note:
scroll_id in requests (snake_case).scrollID in your responses (camelCase).| query | object Add a search query to receive the The query can take any of the parameters described in the Elasticsearch Search API DSL documentation with the exceptions stated below. You can only add the Limitations
| ||||||||||||
| size | integer <int32> <= 1,000 Default: 10 Number of results to return | ||||||||||||
| from | integer <int32> >= 0 Of the results found, the first result to return. | ||||||||||||
| sort | Array of objects Limitations
| ||||||||||||
| _source | object The object
| ||||||||||||
| post_filter | object | ||||||||||||
| scroll | string These time units are supported:
Limitations
| ||||||||||||
| aggregations | object Apply field aggregations. See the Elasticsearch guide for details. Limitations
Note: You can use |
successful operation. hits are the total number of logs that match the query, which will always be in the 0-2 day range. total are the actual logs that are returned when using the query, which are not limited by the selected time range.
| code | integer <int32> |
| scrollId | string Keep passing this ID in the request until you've retrieved all of the results. Copy this ID and pass it as the field |
| hits | string Query results in stringified JSON format. 'hits' are the total number of logs that match the query. |
{- "query": { },
- "size": 50,
- "from": 0,
- "sort": [
- { }
], - "_source": {
- "includes": [
- "message"
]
}, - "post_filter": { },
- "scroll": "string",
- "aggregations": {
- "byType": {
- "terms": {
- "field": "type",
- "size": 5
}
}
}
}{- "code": 200,
- "scrollId": "DnF1ZXJ5VGhlbkZldGNoCQAAAAAWXRbqFlNpSWRrTUtXUUR1N1pJbG9uSkJINncAAAAAFp6B-xZTTVFrMGt4eVFnZXhQZV9YbVRrU3NnAAAAABakA8QWNjY1RUZtdWZRS1NZZWt1ZERTNHNaQQAAAAAWXRbrFlNpSWRrTUtXUUR1N1pJbG9uSkJINncAAAAAFl0W7BZTaUlka01LV1FEdTdaSWxvbkpCSDZ3AAAAABQ1nb4WVjRyRlUxZWRUU0dzbTV5VVVqYkhxdwAAAAAUdHVqFlF0b3Znei1ZUXgtZEkyZkR3M0pMbGcAAAAAFvGs6hZKVklxaXIyZ1NOQzF5NHg1cmhtVDV3AAAAABR0dWkWUXRvdmd6LVlReC1kSTJmRHczSkxsZw==",
- "hits": "string"
}Layerlog alerts use a Kibana search query to continuously scan your logs and alert you when a certain set of conditions is met. The simplest alerts can use a simple search query or a particular filter, but others can be quite complex and involve several conditions with varying thresholds.
When alerts trigger, they write event logs. Event logs of triggered alerts are always available and searchable in Kibana - just filter for _exists_:logzio-alert. But you also have the option to add notifications, and control their contents, format, and who they are sent to.
For the deprecated alerting version, please see our public GitHub project.
US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Returns the complete list of all alerts configured for the account.
successful operation
| id | integer <int32> Layerlog alert ID. |
| updatedAt | string Date and time in UTC when the alert was last updated. |
| updatedBy | string Email of the user who last updated the alert. |
| createdAt | string Date and time in UTC when the alert was first created. |
| createdBy | string Email of the user who first created the alert. |
| enabled | boolean If |
| title | string Alert title. |
| description | string A description of the event, its significance, and suggested next steps or instructions for the team. |
| tags | Array of strings Tags for filtering alerts and triggered alerts. Can be used in Kibana Discover, dashboards, and more. |
| output | object (AlertOutput) Automatically sends out notifications with sample results when the alert triggers. |
| searchTimeFrameMinutes | integer <int32> [ 5 .. 1440 ] The time frame for evaluating the log data is a sliding window, with 1 minute granularity. The recommended minimum and maximum values are not validated, but needed to guarantee the alert's accuracy. The minimum recommended time frame is 5 minutes, as anything shorter will be less reliable and unnecessarily resource-heavy. The maximum recommended time frame is 1440 minutes (24 hours). The alert runs on the index from today and yesterday (in UTC) and the maximum time frame increases throughout the day, reaching 48 hours exactly before midnight UTC. |
| subComponents | Array of objects (SubAlert) Determines when the alert should trigger using any combination of a search query, filters, group by aggregations, accounts to search, and trigger conditions. |
| correlations | object (SubAlertCorrelation) Only applicable when multiple sub-components are in use. Selects a logic for correlating the alert’s sub-components.
|
| schedule | object Defines the intervals in which an alert will be evaluated. This feature is still in production, but the payload already contains the data. |
[- {
- "id": 627816,
- "updatedAt": "2025-12-07T12:21:52.952Z",
- "updatedBy": "tomer@layerlog.com",
- "createdAt": "2025-12-07T12:21:52.952Z",
- "createdBy": "tomer@layerlog.com",
- "enabled": true,
- "title": "Excessive WARN levels in PROD",
- "description": "Steps to remediate...",
- "tags": [
- "network",
- "aws"
], - "output": {
- "recipients": {
- "emails": [
- "tom.a@layerlog.com"
], - "notificationEndpointIds": [
- 0
]
}, - "suppressNotificationsMinutes": 60,
- "type": "JSON"
}, - "searchTimeFrameMinutes": 5,
- "subComponents": [
- {
- "queryDefinition": {
- "query": "type:apache_access",
- "filters": {
- "bool": {
- "must": [
- {
- "match_phrase": {
- "Field": {
- "query": "value"
}
}
}
], - "must_not": [
- {
- "match_phrase": {
- "Field": {
- "query": "value"
}
}
}
]
}
}, - "groupBy": [
- "string"
], - "aggregation": {
- "aggregationType": "SUM",
- "fieldToAggregateOn": "string"
}, - "shouldQueryOnAllAccounts": false,
- "accountIdsToQueryOn": [
- 2321
]
}, - "trigger": {
- "operator": "GREATER_THAN_OR_EQUALS",
- "severityThresholdTiers": {
- "MEDIUM": 10,
- "HIGH": 100,
- "SEVERE": 300
}
}, - "output": {
- "shouldUseAllFields": true
}
}
], - "correlations": {
- "correlationOperators": [
- "AND"
], - "joins": [
- {
- "0": "region",
- "1": "region"
}
]
}, - "schedule": {
- "cron": "string",
- "timezone": "string"
}
}
]US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Configures and activates a new alert.
| title required | string Alert title |
| description | string A description of the event, its significance, and suggested next steps or instructions for the team. |
| tags | Array of strings [ 0 .. 10 ] items Tags for filtering alerts and triggered alerts. Can be used in Kibana Discover, dashboards, and more. |
| output | object (AlertOutput) Automatically sends out notifications with sample results when the alert triggers. |
| searchTimeFrameMinutes | integer <int32> [ 5 .. 1440 ] The time frame for evaluating the log data is a sliding window, with 1 minute granularity. The recommended minimum and maximum values are not validated, but needed to guarantee the alert's accuracy. The minimum recommended time frame is 5 minutes, as anything shorter will be less reliable and unnecessarily resource-heavy. The maximum recommended time frame is 1440 minutes (24 hours). The alert runs on the index from today and yesterday (in UTC) and the maximum time frame increases throughout the day, reaching 48 hours exactly before midnight UTC. The default value is 5. |
| subComponents required | Array of objects (SubAlert) Sets the search criteria using a search query, filters, group by aggregations, accounts to search, and trigger conditions. |
| correlations | object (SubAlertCorrelation) Only applicable when multiple sub-components are in use. Selects a logic for correlating the alert’s sub-components.
|
| enabled | boolean If |
successful operation
| id | integer <int32> Layerlog alert ID. |
| updatedAt | string Date and time in UTC when the alert was last updated. |
| updatedBy | string Email of the user who last updated the alert. |
| createdAt | string Date and time in UTC when the alert was first created. |
| createdBy | string Email of the user who first created the alert. |
| enabled | boolean If |
| title | string Alert title. |
| description | string A description of the event, its significance, and suggested next steps or instructions for the team. |
| tags | Array of strings Tags for filtering alerts and triggered alerts. Can be used in Kibana Discover, dashboards, and more. |
| output | object (AlertOutput) Automatically sends out notifications with sample results when the alert triggers. |
| searchTimeFrameMinutes | integer <int32> [ 5 .. 1440 ] The time frame for evaluating the log data is a sliding window, with 1 minute granularity. The recommended minimum and maximum values are not validated, but needed to guarantee the alert's accuracy. The minimum recommended time frame is 5 minutes, as anything shorter will be less reliable and unnecessarily resource-heavy. The maximum recommended time frame is 1440 minutes (24 hours). The alert runs on the index from today and yesterday (in UTC) and the maximum time frame increases throughout the day, reaching 48 hours exactly before midnight UTC. |
| subComponents | Array of objects (SubAlert) Determines when the alert should trigger using any combination of a search query, filters, group by aggregations, accounts to search, and trigger conditions. |
| correlations | object (SubAlertCorrelation) Only applicable when multiple sub-components are in use. Selects a logic for correlating the alert’s sub-components.
|
| schedule | object Defines the intervals in which an alert will be evaluated. This feature is still in production, but the payload already contains the data. |
{- "title": "Excessive WARN levels in PROD",
- "description": "Steps to remediate...",
- "tags": [
- "network"
], - "output": {
- "recipients": {
- "emails": [
- "tom.a@layerlog.com"
], - "notificationEndpointIds": [
- 0
]
}, - "suppressNotificationsMinutes": 60,
- "type": "JSON"
}, - "searchTimeFrameMinutes": 20,
- "subComponents": [
- {
- "queryDefinition": {
- "query": "type:apache_access",
- "filters": {
- "bool": {
- "must": [
- {
- "match_phrase": {
- "Field": {
- "query": "value"
}
}
}
], - "must_not": [
- {
- "match_phrase": {
- "Field": {
- "query": "value"
}
}
}
]
}
}, - "groupBy": [
- "string"
], - "aggregation": {
- "aggregationType": "SUM",
- "fieldToAggregateOn": "string"
}, - "shouldQueryOnAllAccounts": false,
- "accountIdsToQueryOn": [
- 2321
]
}, - "trigger": {
- "operator": "GREATER_THAN_OR_EQUALS",
- "severityThresholdTiers": {
- "MEDIUM": 10,
- "HIGH": 100,
- "SEVERE": 300
}
}, - "output": {
- "shouldUseAllFields": true
}
}
], - "correlations": {
- "correlationOperators": [
- "AND"
], - "joins": [
- {
- "0": "region",
- "1": "region"
}
]
}, - "enabled": true
}{- "id": 627816,
- "updatedAt": "2025-12-07T12:21:52.952Z",
- "updatedBy": "tomer@layerlog.com",
- "createdAt": "2025-12-07T12:21:52.952Z",
- "createdBy": "tomer@layerlog.com",
- "enabled": true,
- "title": "Excessive WARN levels in PROD",
- "description": "Steps to remediate...",
- "tags": [
- "network",
- "aws"
], - "output": {
- "recipients": {
- "emails": [
- "tom.a@layerlog.com"
], - "notificationEndpointIds": [
- 0
]
}, - "suppressNotificationsMinutes": 60,
- "type": "JSON"
}, - "searchTimeFrameMinutes": 5,
- "subComponents": [
- {
- "queryDefinition": {
- "query": "type:apache_access",
- "filters": {
- "bool": {
- "must": [
- {
- "match_phrase": {
- "Field": {
- "query": "value"
}
}
}
], - "must_not": [
- {
- "match_phrase": {
- "Field": {
- "query": "value"
}
}
}
]
}
}, - "groupBy": [
- "string"
], - "aggregation": {
- "aggregationType": "SUM",
- "fieldToAggregateOn": "string"
}, - "shouldQueryOnAllAccounts": false,
- "accountIdsToQueryOn": [
- 2321
]
}, - "trigger": {
- "operator": "GREATER_THAN_OR_EQUALS",
- "severityThresholdTiers": {
- "MEDIUM": 10,
- "HIGH": 100,
- "SEVERE": 300
}
}, - "output": {
- "shouldUseAllFields": true
}
}
], - "correlations": {
- "correlationOperators": [
- "AND"
], - "joins": [
- {
- "0": "region",
- "1": "region"
}
]
}, - "schedule": {
- "cron": "string",
- "timezone": "string"
}
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Returns alert details by alert ID.
| alertId required | integer <int32> Example: 563412 Unique identifier of the alert in Layerlog. |
successful operation
| id | integer <int32> Layerlog alert ID. |
| updatedAt | string Date and time in UTC when the alert was last updated. |
| updatedBy | string Email of the user who last updated the alert. |
| createdAt | string Date and time in UTC when the alert was first created. |
| createdBy | string Email of the user who first created the alert. |
| enabled | boolean If |
| title | string Alert title. |
| description | string A description of the event, its significance, and suggested next steps or instructions for the team. |
| tags | Array of strings Tags for filtering alerts and triggered alerts. Can be used in Kibana Discover, dashboards, and more. |
| output | object (AlertOutput) Automatically sends out notifications with sample results when the alert triggers. |
| searchTimeFrameMinutes | integer <int32> [ 5 .. 1440 ] The time frame for evaluating the log data is a sliding window, with 1 minute granularity. The recommended minimum and maximum values are not validated, but needed to guarantee the alert's accuracy. The minimum recommended time frame is 5 minutes, as anything shorter will be less reliable and unnecessarily resource-heavy. The maximum recommended time frame is 1440 minutes (24 hours). The alert runs on the index from today and yesterday (in UTC) and the maximum time frame increases throughout the day, reaching 48 hours exactly before midnight UTC. |
| subComponents | Array of objects (SubAlert) Determines when the alert should trigger using any combination of a search query, filters, group by aggregations, accounts to search, and trigger conditions. |
| correlations | object (SubAlertCorrelation) Only applicable when multiple sub-components are in use. Selects a logic for correlating the alert’s sub-components.
|
| schedule | object Defines the intervals in which an alert will be evaluated. This feature is still in production, but the payload already contains the data. |
{- "id": 627816,
- "updatedAt": "2025-12-07T12:21:52.952Z",
- "updatedBy": "tomer@layerlog.com",
- "createdAt": "2025-12-07T12:21:52.952Z",
- "createdBy": "tomer@layerlog.com",
- "enabled": true,
- "title": "Excessive WARN levels in PROD",
- "description": "Steps to remediate...",
- "tags": [
- "network",
- "aws"
], - "output": {
- "recipients": {
- "emails": [
- "tom.a@layerlog.com"
], - "notificationEndpointIds": [
- 0
]
}, - "suppressNotificationsMinutes": 60,
- "type": "JSON"
}, - "searchTimeFrameMinutes": 5,
- "subComponents": [
- {
- "queryDefinition": {
- "query": "type:apache_access",
- "filters": {
- "bool": {
- "must": [
- {
- "match_phrase": {
- "Field": {
- "query": "value"
}
}
}
], - "must_not": [
- {
- "match_phrase": {
- "Field": {
- "query": "value"
}
}
}
]
}
}, - "groupBy": [
- "string"
], - "aggregation": {
- "aggregationType": "SUM",
- "fieldToAggregateOn": "string"
}, - "shouldQueryOnAllAccounts": false,
- "accountIdsToQueryOn": [
- 2321
]
}, - "trigger": {
- "operator": "GREATER_THAN_OR_EQUALS",
- "severityThresholdTiers": {
- "MEDIUM": 10,
- "HIGH": 100,
- "SEVERE": 300
}
}, - "output": {
- "shouldUseAllFields": true
}
}
], - "correlations": {
- "correlationOperators": [
- "AND"
], - "joins": [
- {
- "0": "region",
- "1": "region"
}
]
}, - "schedule": {
- "cron": "string",
- "timezone": "string"
}
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Applies changes to an alert, identified by its ID. Can be used to enable or disable the alert.
| alertId required | integer <int32> Example: 563412 Unique identifier of the alert in Layerlog. |
| title required | string Alert title |
| description | string A description of the event, its significance, and suggested next steps or instructions for the team. |
| tags | Array of strings [ 0 .. 10 ] items Tags for filtering alerts and triggered alerts. Can be used in Kibana Discover, dashboards, and more. |
| output | object (AlertOutput) Automatically sends out notifications with sample results when the alert triggers. |
| searchTimeFrameMinutes | integer <int32> [ 5 .. 1440 ] The time frame for evaluating the log data is a sliding window, with 1 minute granularity. The recommended minimum and maximum values are not validated, but needed to guarantee the alert's accuracy. The minimum recommended time frame is 5 minutes, as anything shorter will be less reliable and unnecessarily resource-heavy. The maximum recommended time frame is 1440 minutes (24 hours). The alert runs on the index from today and yesterday (in UTC) and the maximum time frame increases throughout the day, reaching 48 hours exactly before midnight UTC. The default value is 5. |
| subComponents required | Array of objects (SubAlert) Sets the search criteria using a search query, filters, group by aggregations, accounts to search, and trigger conditions. |
| correlations | object (SubAlertCorrelation) Only applicable when multiple sub-components are in use. Selects a logic for correlating the alert’s sub-components.
|
| enabled | boolean If |
successful operation
| id | integer <int32> Layerlog alert ID. |
| updatedAt | string Date and time in UTC when the alert was last updated. |
| updatedBy | string Email of the user who last updated the alert. |
| createdAt | string Date and time in UTC when the alert was first created. |
| createdBy | string Email of the user who first created the alert. |
| enabled | boolean If |
| title | string Alert title. |
| description | string A description of the event, its significance, and suggested next steps or instructions for the team. |
| tags | Array of strings Tags for filtering alerts and triggered alerts. Can be used in Kibana Discover, dashboards, and more. |
| output | object (AlertOutput) Automatically sends out notifications with sample results when the alert triggers. |
| searchTimeFrameMinutes | integer <int32> [ 5 .. 1440 ] The time frame for evaluating the log data is a sliding window, with 1 minute granularity. The recommended minimum and maximum values are not validated, but needed to guarantee the alert's accuracy. The minimum recommended time frame is 5 minutes, as anything shorter will be less reliable and unnecessarily resource-heavy. The maximum recommended time frame is 1440 minutes (24 hours). The alert runs on the index from today and yesterday (in UTC) and the maximum time frame increases throughout the day, reaching 48 hours exactly before midnight UTC. |
| subComponents | Array of objects (SubAlert) Determines when the alert should trigger using any combination of a search query, filters, group by aggregations, accounts to search, and trigger conditions. |
| correlations | object (SubAlertCorrelation) Only applicable when multiple sub-components are in use. Selects a logic for correlating the alert’s sub-components.
|
| schedule | object Defines the intervals in which an alert will be evaluated. This feature is still in production, but the payload already contains the data. |
{- "title": "Excessive WARN levels in PROD",
- "description": "Steps to remediate...",
- "tags": [
- "network"
], - "output": {
- "recipients": {
- "emails": [
- "tom.a@layerlog.com"
], - "notificationEndpointIds": [
- 0
]
}, - "suppressNotificationsMinutes": 60,
- "type": "JSON"
}, - "searchTimeFrameMinutes": 20,
- "subComponents": [
- {
- "queryDefinition": {
- "query": "type:apache_access",
- "filters": {
- "bool": {
- "must": [
- {
- "match_phrase": {
- "Field": {
- "query": "value"
}
}
}
], - "must_not": [
- {
- "match_phrase": {
- "Field": {
- "query": "value"
}
}
}
]
}
}, - "groupBy": [
- "string"
], - "aggregation": {
- "aggregationType": "SUM",
- "fieldToAggregateOn": "string"
}, - "shouldQueryOnAllAccounts": false,
- "accountIdsToQueryOn": [
- 2321
]
}, - "trigger": {
- "operator": "GREATER_THAN_OR_EQUALS",
- "severityThresholdTiers": {
- "MEDIUM": 10,
- "HIGH": 100,
- "SEVERE": 300
}
}, - "output": {
- "shouldUseAllFields": true
}
}
], - "correlations": {
- "correlationOperators": [
- "AND"
], - "joins": [
- {
- "0": "region",
- "1": "region"
}
]
}, - "enabled": true
}{- "id": 627816,
- "updatedAt": "2025-12-07T12:21:52.952Z",
- "updatedBy": "tomer@layerlog.com",
- "createdAt": "2025-12-07T12:21:52.952Z",
- "createdBy": "tomer@layerlog.com",
- "enabled": true,
- "title": "Excessive WARN levels in PROD",
- "description": "Steps to remediate...",
- "tags": [
- "network",
- "aws"
], - "output": {
- "recipients": {
- "emails": [
- "tom.a@layerlog.com"
], - "notificationEndpointIds": [
- 0
]
}, - "suppressNotificationsMinutes": 60,
- "type": "JSON"
}, - "searchTimeFrameMinutes": 5,
- "subComponents": [
- {
- "queryDefinition": {
- "query": "type:apache_access",
- "filters": {
- "bool": {
- "must": [
- {
- "match_phrase": {
- "Field": {
- "query": "value"
}
}
}
], - "must_not": [
- {
- "match_phrase": {
- "Field": {
- "query": "value"
}
}
}
]
}
}, - "groupBy": [
- "string"
], - "aggregation": {
- "aggregationType": "SUM",
- "fieldToAggregateOn": "string"
}, - "shouldQueryOnAllAccounts": false,
- "accountIdsToQueryOn": [
- 2321
]
}, - "trigger": {
- "operator": "GREATER_THAN_OR_EQUALS",
- "severityThresholdTiers": {
- "MEDIUM": 10,
- "HIGH": 100,
- "SEVERE": 300
}
}, - "output": {
- "shouldUseAllFields": true
}
}
], - "correlations": {
- "correlationOperators": [
- "AND"
], - "joins": [
- {
- "0": "region",
- "1": "region"
}
]
}, - "schedule": {
- "cron": "string",
- "timezone": "string"
}
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Deletes an alert identified by its ID.
| alertId required | integer <int32> Example: 563412 Unique identifier of the alert in Layerlog. |
successful operation
| id | integer <int32> Layerlog alert ID. |
| updatedAt | string Date and time in UTC when the alert was last updated. |
| updatedBy | string Email of the user who last updated the alert. |
| createdAt | string Date and time in UTC when the alert was first created. |
| createdBy | string Email of the user who first created the alert. |
| enabled | boolean If |
| title | string Alert title. |
| description | string A description of the event, its significance, and suggested next steps or instructions for the team. |
| tags | Array of strings Tags for filtering alerts and triggered alerts. Can be used in Kibana Discover, dashboards, and more. |
| output | object (AlertOutput) Automatically sends out notifications with sample results when the alert triggers. |
| searchTimeFrameMinutes | integer <int32> [ 5 .. 1440 ] The time frame for evaluating the log data is a sliding window, with 1 minute granularity. The recommended minimum and maximum values are not validated, but needed to guarantee the alert's accuracy. The minimum recommended time frame is 5 minutes, as anything shorter will be less reliable and unnecessarily resource-heavy. The maximum recommended time frame is 1440 minutes (24 hours). The alert runs on the index from today and yesterday (in UTC) and the maximum time frame increases throughout the day, reaching 48 hours exactly before midnight UTC. |
| subComponents | Array of objects (SubAlert) Determines when the alert should trigger using any combination of a search query, filters, group by aggregations, accounts to search, and trigger conditions. |
| correlations | object (SubAlertCorrelation) Only applicable when multiple sub-components are in use. Selects a logic for correlating the alert’s sub-components.
|
| schedule | object Defines the intervals in which an alert will be evaluated. This feature is still in production, but the payload already contains the data. |
{- "id": 627816,
- "updatedAt": "2025-12-07T12:21:52.952Z",
- "updatedBy": "tomer@layerlog.com",
- "createdAt": "2025-12-07T12:21:52.952Z",
- "createdBy": "tomer@layerlog.com",
- "enabled": true,
- "title": "Excessive WARN levels in PROD",
- "description": "Steps to remediate...",
- "tags": [
- "network",
- "aws"
], - "output": {
- "recipients": {
- "emails": [
- "tom.a@layerlog.com"
], - "notificationEndpointIds": [
- 0
]
}, - "suppressNotificationsMinutes": 60,
- "type": "JSON"
}, - "searchTimeFrameMinutes": 5,
- "subComponents": [
- {
- "queryDefinition": {
- "query": "type:apache_access",
- "filters": {
- "bool": {
- "must": [
- {
- "match_phrase": {
- "Field": {
- "query": "value"
}
}
}
], - "must_not": [
- {
- "match_phrase": {
- "Field": {
- "query": "value"
}
}
}
]
}
}, - "groupBy": [
- "string"
], - "aggregation": {
- "aggregationType": "SUM",
- "fieldToAggregateOn": "string"
}, - "shouldQueryOnAllAccounts": false,
- "accountIdsToQueryOn": [
- 2321
]
}, - "trigger": {
- "operator": "GREATER_THAN_OR_EQUALS",
- "severityThresholdTiers": {
- "MEDIUM": 10,
- "HIGH": 100,
- "SEVERE": 300
}
}, - "output": {
- "shouldUseAllFields": true
}
}
], - "correlations": {
- "correlationOperators": [
- "AND"
], - "joins": [
- {
- "0": "region",
- "1": "region"
}
]
}, - "schedule": {
- "cron": "string",
- "timezone": "string"
}
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Enables an alert by its alert ID. This is reversible. The alert can be disabled again at any time.
| id required | integer <int32> Example: 654312 Alert ID |
successful operation
US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Disables an alert by its alert ID. This is reversible. The alert can be enabled again at any time.
| id required | integer <int32> Example: 654321 Alert ID |
successful operation
US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Returns a paged filtered list of triggered alerts for your accounts.
| from | integer >= 0 Default: 0 Of the results found, the first result to return. |
| size | integer Example: size=15 Size of page to return. |
| search | string Example: search=test Part of the alert name to filter by name (ignore case). |
| severities | Array of strings Items Value: ["SEVERE","HIGH","MEDIUM","LOW","INFO"] Example: severities=["SEVERE", "HIGH"] Filter results by severity of triggered alerts. |
| sortBy | string Enum: "DATE" "SEVERITY" Sort alerts by date or severity. |
| sortOrder | string Enum: "ASC" "DESC" Sort order of alerts retrieved. |
| tags | Array of strings List of tags the alert is related to. |
successful operation
| pageSize | integer Size of page returned. |
| from | integer Of the results found, the first result to return. |
| total | integer Total number of alerts retrieved. |
| results | Array of objects Array of alerts retrieved by the search. |
curl -X POST https://api.layerlog.com/v1/alerts/triggered-alerts \ -H 'Content-Type: application/json' \ -H 'X-API-TOKEN: <token>' \ -d '{ "from": 0, "size": 15, "search": "test", "severities": ["HIGH", "LOW"], "sortBy": "DATE", "sortOrder": "ASC", "tags": "network" }'
[- {
- "pageSize": 2,
- "from": 1,
- "total": 2,
- "results": [
- {
- "alertId": 1,
- "name": "test",
- "eventDate": 1523970558.657,
- "severity": "HIGH"
}
]
}
]Send deployment logs by API to automatically correlate exceptions with service deployments directly in your Layerlog Exceptions tab.
US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Send logs with details of service deployments to annotate Exception graphs in Kibana Discover. Learn more about Deployment markers
| markers | Array of objects (MarkerDataPoint) |
successful operation
{- "markers": [
- {
- "title": "ServiceA",
- "tag": "OTHER",
- "example": null,
- "enum": null,
- "timestamp": 1613311091679,
- "description": "Description with additional context",
- "metadata": {
- "version": "version 5",
- "deployer": "iron man"
}
}
]
}Layerlog monitors your logs for Insights to help you preempt issues and alert you of potential problems.
There are two types of Insights:
You have the option to set up an alert so you can get notified of the details when new or recurring insights are spotted in your system.
Note: This endpoint requires permissions that must be set by our Support team. Please email destek@layerlog.com for assistance.
US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Get the list of Insights that match your search criteria.
Whenever a new Insight is detected, it receives an Insight ID and is tracked for as long as it recurs. The lookback period for Insights is 6 months.
Note: This endpoint requires permissions that must be set by our Support team. Please email destek@layerlog.com for assistance.
| startDate | integer <int64> UNIX timestamp in milliseconds specifying the start date for the query time frame. By default, returns the past 15 minutes ("now - 15 minutes" translated into a UNIX timestamp). |
| endDate | integer <int64> UNIX timestamp in milliseconds specifying the end date for the query time frame. By default, returns the current time ("now" translated into a UNIX timestamp). |
| from | integer <int32> Default: 0 Of the results found, the first result to return. Must be a non-negative integer. |
| size | integer <int32> [ 1 .. 100 ] Default: 10 Number of results to return. Must be a positive integer between 1-100. |
| insightTypes | Array of strings Default: ["PUBLIC_CI","LOGCEPTION"] Items Enum: "PUBLIC_CI" "LOGCEPTION" Filters results by Insight type. |
| tagNames | Array of strings Filters results by the tag values used to categorize Insights. |
| logTypes | Array of strings Filters results by log type. |
| onlyNew | boolean Default: false Filters for Insights that first occurred in the selected time frame. In other words, excludes Insights that were first identified before or after the selected time range. |
| sortBy | string Default: "COUNT" Enum: "FIRST_OCCURRENCE" "LAST_OCCURRENCE" "COUNT" Sorts Insights by the selected parameters. |
| asc | boolean Default: false If |
| search | string Searches for an Insight by its title. |
successful operation
| pageSize | integer <int32> [ 0 .. 500 ] Number of results to return per page. Must be a positive integer between 0-500. |
| from | integer <int32> [ 0 .. 2147483647 ] UNIX timestamp in milliseconds. |
| total | integer <int64> [ 0 .. 500 ] Total number of results found. |
| results | Array of objects (PublicAccountInsightResponse) |
{- "startDate": 1592904389950,
- "endDate": 1592254800000,
- "from": 0,
- "size": 100,
- "insightTypes": [
- "PUBLIC_CI",
- "LOGCEPTION"
], - "tagNames": null,
- "logTypes": [
- "log-engine",
- "spark"
], - "onlyNew": true,
- "sortBy": "COUNT",
- "asc": true,
- "search": "Exception"
}{- "pageSize": 0,
- "from": 0,
- "total": 0,
- "results": [
- {
- "insightId": "cf484f4c381c3e408a23accc5b487947d2f68791",
- "insightType": "PUBLIC_CI",
- "tagName": "ignite",
- "description": "A match for the phrase - <'Could not find the language line'> was identified in the log message. As mentioned in the cited links, this may indicate that an issue has taken place that requires your attention.",
- "links": "https://github.com/benedmunds/CodeIgniter-Ion-Auth/issues/784 https://www.sitepoint.com/multi-language-support-in-codeigniter/ http://forum.codeigniter.com/thread-383.html https://community.invoiceplane.com/t/topic/3322 https://www.zonwhois.com/www/gwdcanada.com.html",
- "additionalData": {
- "property1": { },
- "property2": { }
}, - "firstOccurrence": 1591181276000,
- "lastOccurrence": 1591253121194,
- "count": 66,
- "logTypes": [
- "app-server",
- "user-analytics"
], - "kibanaLink": "string",
- "insightTitle": "Could not find the language line create_user_validation_phone_label"
}
]
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Creates a new Kibana snapshot and shares with recipients through email or notification endpoint
| snapshotType required | string Enum: "DASHBOARD" "VISUALIZATION" The object type to share |
| snapshotSavedObjectId required | string ID of the object to share. If you don't know the object ID, you can use the /kibana/export endpoint. |
| slackWebhookUrls | Array of strings URLs of Slack webhooks that you want to send this snapshot to. |
| endpoints | Array of integers <int32> IDs of notification endpoints that you want to send this snapshot to |
| emails | Array of strings Email addresses that you want to send this snapshot to |
| message | string Message to send to the shared object recipients |
| timeFrameFrom required | integer <int64> Starting timedate of the visualization, as a Unix epoch integer. |
| timeFrameTo required | integer <int64> Ending timedate of the visualization, as a Unix epoch integer. |
| snapshotTimeZone required | string Time zone to use in |
| queryString | string Search query |
| darkTheme | boolean To send the object with Kibana dark theme colors, |
successful operation
| snapshotId | integer <int32> ID of the snapshot |
{- "snapshotType": "DASHBOARD",
- "snapshotSavedObjectId": "11f6a669-4f21-6313-dd83-319dbfc8ff96",
- "slackWebhookUrls": [
], - "endpoints": [
- 0
], - "emails": [
- "string"
], - "message": "Take a look at these Apache logs, let me know if you want me to do anything about it",
- "timeFrameFrom": 389836800,
- "timeFrameTo": 414720000,
- "snapshotTimeZone": "UTC",
- "queryString": "type:example",
- "darkTheme": true
}{- "snapshotId": 2049
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Returns the details of a snapshot, such as status and the snapshot image URL
| snapshotId required | integer <int32> Example: 3094 ID of the snapshot |
successful operation
| snapshotId | integer <int32> ID of the snapshot |
| accountId | integer <int32> ID of the account |
| snapshotType | string Enum: "DASHBOARD" "VISUALIZATION" The object type |
| status | string Enum: "SUCCESS" "FAILED" "IN_PROGRESS" Status of the snapshot capture operation |
| snapshotSavedObjectName | string Name of the object captured in the snapshot |
| imageUrl | string Web address where the snapshot image is stored |
| appLinkUrl | string A link to the snapshot in the Layerlog app |
| message | string Message to send to snapshot recipients |
| timeFrameFrom | integer <int64> Starting timedate of the visualization, as a Unix epoch integer. |
| timeFrameTo | integer <int64> Ending timedate of the visualization, as a Unix epoch integer. |
| snapshotTimeZone | string Time zone to use in |
curl -X GET "https://api.layerlog.com/v1/snapshotter/3094" -H "accept: application/json" -H "X-API-TOKEN: <token>"
{- "snapshotId": 3094,
- "accountId": 5555,
- "snapshotType": "VISUALIZATION",
- "status": "SUCCESS",
- "snapshotSavedObjectName": "Mysql response times percentiles",
- "message": "Hey, let me know if you need me to do anything about this.",
- "timeFrameFrom": 389836800,
- "timeFrameTo": 414720000,
- "snapshotTimeZone": "UTC"
}A security account with SIEM allows you to use the SIEM platform. You can create a SIEM account using an API call.
US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Creates a new SIEM account. Returns SIEM account configuration settings as a JSON object. Must be run with an API token from the your main Logs account Logs > Settings > Manage tokens > API tokens.
| accountName required | string SIEM account name |
| accountsToScan | Array of integers IDs of accounts that will be accessed for logs. The owner account will be the default account to scan. |
| email required | string Email address of the SIEM account. |
| isUsingRepositoryAccount | boolean Describes if the account uses a Repository Account. For more information, see our User Guide. |
successful query
| accountId | integer Account ID. |
| accountName | string SIEM account name |
| accountsToScan | Array of integers Accounts included into the query |
| createdAt | string <date-time> Date this account was created. Format: |
| isUsingRepositoryAccount | boolean Describes if the account uses a Repository Account. For more information, see our User Guide. |
{- "accountName": "string",
- "accountsToScan": [
- 0
], - "email": "string",
- "isUsingRepositoryAccount": true
}{- "accountId": 0,
- "accountName": "string",
- "accountsToScan": [
- 0
], - "createdAt": "2025-12-07T12:21:52.950Z",
- "isUsingRepositoryAccount": true
}Security rules help you connect the dots between your data sources and events that could indicate a security threat or breach.
Your Cloud SIEM account comes pre-configured with security rules for different attack types and security use cases. These built-in rules are protected, and there are limitations on the changes that can be made to them. Pre-configured rules can be updated by adding notification endpoints (like email or Slack), changing trigger thresholds and severities, and adding tags, as described in detail in the endpoint.
You can also create new security rules to supplement the built-in rules.
US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Creates a new security rule and activates it.
| title | string Rule title |
| description | string A description of the event, its significance, and suggested next steps or instructions for the team. |
| tags | Array of strings [ 0 .. 25 ] items Tags for filtering rules and triggered rules. Can be used in Kibana Discover, dashboards, and more. |
| output | object (RuleOutput) Automatically sends out notifications with sample results when the rule triggers. |
| searchTimeFrameMinutes | integer <int32> [ 5 .. 1440 ] The time frame for evaluating the log data is a sliding window, with 1 minute granularity. The recommended minimum and maximum values are not validated, but needed to guarantee the rule's accuracy. The minimum recommended time frame is 5 minutes, as anything shorter will be less reliable and unnecessarily resource-heavy. The maximum recommended time frame is 1440 minutes (24 hours). The rule runs on the index from today and yesterday (in UTC) and the maximum time frame increases throughout the day, reaching 48 hours exactly before midnight UTC. |
| subComponents required | Array of objects (SubRule) Sets the search criteria using a search query, filters, group by aggregations, accounts to search, and trigger conditions. |
| correlations | object (SubRuleCorrelation) Only applicable when multiple sub-components are in use. Selects a logic for correlating the rule’s sub-components.
|
| enabled | boolean If |
successful operation
| id | integer <int32> Layerlog rule ID. |
| updatedAt | string Date and time in UTC when the rule was last updated. |
| updatedBy | string Email of the user who last updated the rule. |
| createdAt | string Date and time in UTC when the rule was first created. |
| createdBy | string Email of the user who first created the rule. |
| enabled | boolean If |
| title | string Rule title. |
| description | string A description of the event, its significance, and suggested next steps or instructions for the team. |
| tags | Array of strings Tags for filtering rules and triggered rules. Can be used in Kibana Discover, dashboards, and more. |
| output | object (RuleOutput) Automatically sends out notifications with sample results when the rule triggers. |
| searchTimeFrameMinutes | integer <int32> [ 5 .. 1440 ] The time frame for evaluating the log data is a sliding window, with 1 minute granularity. The recommended minimum and maximum values are not validated, but needed to guarantee the rule's accuracy. The minimum recommended time frame is 5 minutes, as anything shorter will be less reliable and unnecessarily resource-heavy. The maximum recommended time frame is 1440 minutes (24 hours). The rule runs on the index from today and yesterday (in UTC) and the maximum time frame increases throughout the day, reaching 48 hours exactly before midnight UTC. |
| subComponents | Array of objects (SubRule) Determines when the rule should trigger using any combination of a search query, filters, group by aggregations, accounts to search, and trigger conditions. |
| correlations | object (SubRuleCorrelation) Only applicable when multiple sub-components are in use. Selects a logic for correlating the rule’s sub-components.
|
| schedule | object Defines the intervals in which an alert will be evaluated. This feature is still in production, but the payload already contains the data. |
{- "title": "Excessive WARN levels in PROD",
- "description": "Steps to remediate...",
- "tags": "network",
- "output": {
- "recipients": {
- "emails": [
- "tom.a@layerlog.com"
], - "notificationEndpointIds": [
- 0
]
}, - "suppressNotificationsMinutes": 60,
- "type": "JSON"
}, - "searchTimeFrameMinutes": 20,
- "subComponents": [
- {
- "queryDefinition": {
- "query": "type:apache_access",
- "filters": {
- "bool": {
- "must": [
- {
- "match_phrase": {
- "Field": {
- "query": "value"
}
}
}
], - "must_not": [
- {
- "match_phrase": {
- "Field": {
- "query": "value"
}
}
}
]
}
}, - "groupBy": [
- "string"
], - "aggregation": {
- "aggregationType": "SUM",
- "fieldToAggregateOn": "string"
}, - "shouldQueryOnAllAccounts": false,
- "accountIdsToQueryOn": [
- 2321
]
}, - "trigger": {
- "operator": "GREATER_THAN_OR_EQUALS",
- "severityThresholdTiers": {
- "MEDIUM": 10,
- "HIGH": 100,
- "SEVERE": 300
}
}, - "output": {
- "columns": [
- {
- "fieldName": "string",
- "regex": "string",
- "sort": "DESC"
}
]
}
}
], - "correlations": {
- "correlationOperators": [
- "AND"
], - "joins": [
- {
- "0": "region",
- "1": "region"
}
]
}, - "enabled": true
}{- "id": 627816,
- "updatedAt": "2025-12-07T12:21:52.953Z",
- "updatedBy": "tomer@layerlog.com",
- "createdAt": "2025-12-07T12:21:52.953Z",
- "createdBy": "tomer@layerlog.com",
- "enabled": true,
- "title": "Excessive WARN levels in PROD",
- "description": "Steps to remediate...",
- "tags": [
- "network",
- "aws"
], - "output": {
- "recipients": {
- "emails": [
- "tom.a@layerlog.com"
], - "notificationEndpointIds": [
- 0
]
}, - "suppressNotificationsMinutes": 60,
- "type": "JSON"
}, - "searchTimeFrameMinutes": 5,
- "subComponents": [
- {
- "queryDefinition": {
- "query": "type:apache_access",
- "filters": {
- "bool": {
- "must": [
- {
- "match_phrase": {
- "Field": {
- "query": "value"
}
}
}
], - "must_not": [
- {
- "match_phrase": {
- "Field": {
- "query": "value"
}
}
}
]
}
}, - "groupBy": [
- "string"
], - "aggregation": {
- "aggregationType": "SUM",
- "fieldToAggregateOn": "string"
}, - "shouldQueryOnAllAccounts": false,
- "accountIdsToQueryOn": [
- 2321
]
}, - "trigger": {
- "operator": "GREATER_THAN_OR_EQUALS",
- "severityThresholdTiers": {
- "MEDIUM": 10,
- "HIGH": 100,
- "SEVERE": 300
}
}, - "output": {
- "columns": [
- {
- "fieldName": "string",
- "regex": "string",
- "sort": "DESC"
}
]
}
}
], - "correlations": {
- "correlationOperators": [
- "AND"
], - "joins": [
- {
- "0": "region",
- "1": "region"
}
]
}, - "schedule": {
- "cron": "string",
- "timezone": "string"
}
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Retrieves a security rule by its ID.
| ruleId required | integer <int32> |
successful operation
| id | integer <int32> Layerlog security rule ID. |
| updatedAt | string Date and time in UTC when the rule was last updated. |
| updatedBy | string Email of the user who last updated the rule. |
| createdAt | string Date and time in UTC when the rule was first created updated. |
| createdBy | string Email of the user who first created the rule. |
| enabled | boolean If |
| title | string Rule title. |
| description | string A description of the event, its significance, and suggested next steps or instructions for the team. |
| tags | Array of strings Tags for filtering rules and triggered rules. Can be used in Kibana Discover, dashboards, and more. |
| output | object (RuleOutput) Automatically sends out notifications with sample results when the rule triggers. |
| searchTimeFrameMinutes | integer <int32> [ 5 .. 1440 ] The time frame for evaluating the log data is a sliding window, with 1 minute granularity. The recommended minimum and maximum values are not validated, but needed to guarantee the rule's accuracy. The minimum recommended time frame is 5 minutes, as anything shorter will be less reliable and unnecessarily resource-heavy. The maximum recommended time frame is 1440 minutes (24 hours). The rule runs on the index from today and yesterday (in UTC) and the maximum time frame increases throughout the day, reaching 48 hours exactly before midnight UTC. |
| subComponents | Array of objects (SubRule) Determines when the rule should trigger using any combination of a search query, filters, group by aggregations, accounts to search, and trigger conditions. |
| correlations | object (SubRuleCorrelation) Only applicable when multiple sub-components are in use. Selects a logic for correlating the rule’s sub-components.
|
| protected | boolean If
|
| schedule | object Defines the intervals in which an alert will be evaluated. This feature is still in production, but the payload already contains the data. |
| mitreTags | Array of strings Tags used for classifying, discussing, and interpreting security incidents. This feature is currently under development. |
{- "id": 627816,
- "updatedAt": "2025-12-07T12:21:52.954Z",
- "updatedBy": "tomer@layerlog.com",
- "createdAt": "2025-12-07T12:21:52.954Z",
- "createdBy": "tomer@layerlog.com",
- "enabled": true,
- "title": "Excessive WARN levels in PROD",
- "description": "Steps to remediate...",
- "tags": [
- "network",
- "aws"
], - "output": {
- "recipients": {
- "emails": [
- "tom.a@layerlog.com"
], - "notificationEndpointIds": [
- 0
]
}, - "suppressNotificationsMinutes": 60,
- "type": "JSON"
}, - "searchTimeFrameMinutes": 5,
- "subComponents": [
- {
- "queryDefinition": {
- "query": "type:apache_access",
- "filters": {
- "bool": {
- "must": [
- {
- "match_phrase": {
- "Field": {
- "query": "value"
}
}
}
], - "must_not": [
- {
- "match_phrase": {
- "Field": {
- "query": "value"
}
}
}
]
}
}, - "groupBy": [
- "string"
], - "aggregation": {
- "aggregationType": "SUM",
- "fieldToAggregateOn": "string"
}, - "shouldQueryOnAllAccounts": false,
- "accountIdsToQueryOn": [
- 2321
]
}, - "trigger": {
- "operator": "GREATER_THAN_OR_EQUALS",
- "severityThresholdTiers": {
- "MEDIUM": 10,
- "HIGH": 100,
- "SEVERE": 300
}
}, - "output": {
- "columns": [
- {
- "fieldName": "string",
- "regex": "string",
- "sort": "DESC"
}
]
}
}
], - "correlations": {
- "correlationOperators": [
- "AND"
], - "joins": [
- {
- "0": "region",
- "1": "region"
}
]
}, - "protected": true,
- "schedule": {
- "cron": "string",
- "timezone": "string"
}, - "mitreTags": [
- "string"
]
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Applies changes to a rule, identified by its ID. Can also be used to enable or disable a rule.
| ruleId required | integer <int32> |
| title | string Rule title |
| description | string A description of the event, its significance, and suggested next steps or instructions for the team. |
| tags | Array of strings [ 0 .. 25 ] items Tags for filtering rules and triggered rules. Can be used in Kibana Discover, dashboards, and more. |
| output | object (RuleOutput) Automatically sends out notifications with sample results when the rule triggers. |
| searchTimeFrameMinutes | integer <int32> [ 5 .. 1440 ] The time frame for evaluating the log data is a sliding window, with 1 minute granularity. The recommended minimum and maximum values are not validated, but needed to guarantee the rule's accuracy. The minimum recommended time frame is 5 minutes, as anything shorter will be less reliable and unnecessarily resource-heavy. The maximum recommended time frame is 1440 minutes (24 hours). The rule runs on the index from today and yesterday (in UTC) and the maximum time frame increases throughout the day, reaching 48 hours exactly before midnight UTC. |
| subComponents required | Array of objects (SubRule) Sets the search criteria using a search query, filters, group by aggregations, accounts to search, and trigger conditions. |
| correlations | object (SubRuleCorrelation) Only applicable when multiple sub-components are in use. Selects a logic for correlating the rule’s sub-components.
|
| enabled | boolean If |
successful operation
| id | integer <int32> Layerlog rule ID. |
| updatedAt | string Date and time in UTC when the rule was last updated. |
| updatedBy | string Email of the user who last updated the rule. |
| createdAt | string Date and time in UTC when the rule was first created. |
| createdBy | string Email of the user who first created the rule. |
| enabled | boolean If |
| title | string Rule title. |
| description | string A description of the event, its significance, and suggested next steps or instructions for the team. |
| tags | Array of strings Tags for filtering rules and triggered rules. Can be used in Kibana Discover, dashboards, and more. |
| output | object (RuleOutput) Automatically sends out notifications with sample results when the rule triggers. |
| searchTimeFrameMinutes | integer <int32> [ 5 .. 1440 ] The time frame for evaluating the log data is a sliding window, with 1 minute granularity. The recommended minimum and maximum values are not validated, but needed to guarantee the rule's accuracy. The minimum recommended time frame is 5 minutes, as anything shorter will be less reliable and unnecessarily resource-heavy. The maximum recommended time frame is 1440 minutes (24 hours). The rule runs on the index from today and yesterday (in UTC) and the maximum time frame increases throughout the day, reaching 48 hours exactly before midnight UTC. |
| subComponents | Array of objects (SubRule) Determines when the rule should trigger using any combination of a search query, filters, group by aggregations, accounts to search, and trigger conditions. |
| correlations | object (SubRuleCorrelation) Only applicable when multiple sub-components are in use. Selects a logic for correlating the rule’s sub-components.
|
| schedule | object Defines the intervals in which an alert will be evaluated. This feature is still in production, but the payload already contains the data. |
{- "title": "Excessive WARN levels in PROD",
- "description": "Steps to remediate...",
- "tags": "network",
- "output": {
- "recipients": {
- "emails": [
- "tom.a@layerlog.com"
], - "notificationEndpointIds": [
- 0
]
}, - "suppressNotificationsMinutes": 60,
- "type": "JSON"
}, - "searchTimeFrameMinutes": 20,
- "subComponents": [
- {
- "queryDefinition": {
- "query": "type:apache_access",
- "filters": {
- "bool": {
- "must": [
- {
- "match_phrase": {
- "Field": {
- "query": "value"
}
}
}
], - "must_not": [
- {
- "match_phrase": {
- "Field": {
- "query": "value"
}
}
}
]
}
}, - "groupBy": [
- "string"
], - "aggregation": {
- "aggregationType": "SUM",
- "fieldToAggregateOn": "string"
}, - "shouldQueryOnAllAccounts": false,
- "accountIdsToQueryOn": [
- 2321
]
}, - "trigger": {
- "operator": "GREATER_THAN_OR_EQUALS",
- "severityThresholdTiers": {
- "MEDIUM": 10,
- "HIGH": 100,
- "SEVERE": 300
}
}, - "output": {
- "columns": [
- {
- "fieldName": "string",
- "regex": "string",
- "sort": "DESC"
}
]
}
}
], - "correlations": {
- "correlationOperators": [
- "AND"
], - "joins": [
- {
- "0": "region",
- "1": "region"
}
]
}, - "enabled": true
}{- "id": 627816,
- "updatedAt": "2025-12-07T12:21:52.953Z",
- "updatedBy": "tomer@layerlog.com",
- "createdAt": "2025-12-07T12:21:52.953Z",
- "createdBy": "tomer@layerlog.com",
- "enabled": true,
- "title": "Excessive WARN levels in PROD",
- "description": "Steps to remediate...",
- "tags": [
- "network",
- "aws"
], - "output": {
- "recipients": {
- "emails": [
- "tom.a@layerlog.com"
], - "notificationEndpointIds": [
- 0
]
}, - "suppressNotificationsMinutes": 60,
- "type": "JSON"
}, - "searchTimeFrameMinutes": 5,
- "subComponents": [
- {
- "queryDefinition": {
- "query": "type:apache_access",
- "filters": {
- "bool": {
- "must": [
- {
- "match_phrase": {
- "Field": {
- "query": "value"
}
}
}
], - "must_not": [
- {
- "match_phrase": {
- "Field": {
- "query": "value"
}
}
}
]
}
}, - "groupBy": [
- "string"
], - "aggregation": {
- "aggregationType": "SUM",
- "fieldToAggregateOn": "string"
}, - "shouldQueryOnAllAccounts": false,
- "accountIdsToQueryOn": [
- 2321
]
}, - "trigger": {
- "operator": "GREATER_THAN_OR_EQUALS",
- "severityThresholdTiers": {
- "MEDIUM": 10,
- "HIGH": 100,
- "SEVERE": 300
}
}, - "output": {
- "columns": [
- {
- "fieldName": "string",
- "regex": "string",
- "sort": "DESC"
}
]
}
}
], - "correlations": {
- "correlationOperators": [
- "AND"
], - "joins": [
- {
- "0": "region",
- "1": "region"
}
]
}, - "schedule": {
- "cron": "string",
- "timezone": "string"
}
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Deletes a security rule by its ID.
| ruleId required | integer <int32> |
successful operation
| id | integer <int32> Layerlog rule ID. |
| updatedAt | string Date and time in UTC when the rule was last updated. |
| updatedBy | string Email of the user who last updated the rule. |
| createdAt | string Date and time in UTC when the rule was first created. |
| createdBy | string Email of the user who first created the rule. |
| enabled | boolean If |
| title | string Rule title. |
| description | string A description of the event, its significance, and suggested next steps or instructions for the team. |
| tags | Array of strings Tags for filtering rules and triggered rules. Can be used in Kibana Discover, dashboards, and more. |
| output | object (RuleOutput) Automatically sends out notifications with sample results when the rule triggers. |
| searchTimeFrameMinutes | integer <int32> [ 5 .. 1440 ] The time frame for evaluating the log data is a sliding window, with 1 minute granularity. The recommended minimum and maximum values are not validated, but needed to guarantee the rule's accuracy. The minimum recommended time frame is 5 minutes, as anything shorter will be less reliable and unnecessarily resource-heavy. The maximum recommended time frame is 1440 minutes (24 hours). The rule runs on the index from today and yesterday (in UTC) and the maximum time frame increases throughout the day, reaching 48 hours exactly before midnight UTC. |
| subComponents | Array of objects (SubRule) Determines when the rule should trigger using any combination of a search query, filters, group by aggregations, accounts to search, and trigger conditions. |
| correlations | object (SubRuleCorrelation) Only applicable when multiple sub-components are in use. Selects a logic for correlating the rule’s sub-components.
|
| schedule | object Defines the intervals in which an alert will be evaluated. This feature is still in production, but the payload already contains the data. |
{- "id": 627816,
- "updatedAt": "2025-12-07T12:21:52.953Z",
- "updatedBy": "tomer@layerlog.com",
- "createdAt": "2025-12-07T12:21:52.953Z",
- "createdBy": "tomer@layerlog.com",
- "enabled": true,
- "title": "Excessive WARN levels in PROD",
- "description": "Steps to remediate...",
- "tags": [
- "network",
- "aws"
], - "output": {
- "recipients": {
- "emails": [
- "tom.a@layerlog.com"
], - "notificationEndpointIds": [
- 0
]
}, - "suppressNotificationsMinutes": 60,
- "type": "JSON"
}, - "searchTimeFrameMinutes": 5,
- "subComponents": [
- {
- "queryDefinition": {
- "query": "type:apache_access",
- "filters": {
- "bool": {
- "must": [
- {
- "match_phrase": {
- "Field": {
- "query": "value"
}
}
}
], - "must_not": [
- {
- "match_phrase": {
- "Field": {
- "query": "value"
}
}
}
]
}
}, - "groupBy": [
- "string"
], - "aggregation": {
- "aggregationType": "SUM",
- "fieldToAggregateOn": "string"
}, - "shouldQueryOnAllAccounts": false,
- "accountIdsToQueryOn": [
- 2321
]
}, - "trigger": {
- "operator": "GREATER_THAN_OR_EQUALS",
- "severityThresholdTiers": {
- "MEDIUM": 10,
- "HIGH": 100,
- "SEVERE": 300
}
}, - "output": {
- "columns": [
- {
- "fieldName": "string",
- "regex": "string",
- "sort": "DESC"
}
]
}
}
], - "correlations": {
- "correlationOperators": [
- "AND"
], - "joins": [
- {
- "0": "region",
- "1": "region"
}
]
}, - "schedule": {
- "cron": "string",
- "timezone": "string"
}
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Retrieve a list of security rules for a specific Security account. The results are paginated. Filtering, sorting and pagination are all optional. If you want to get all rules, send the payload in {} format.
| filter | object (AlertsFilter) |
| sort | object (AlertsSortRequest) |
| pagination | object (Pagination) Default pagination is a page of 25 results. Look for the |
successful operation
| total | integer <int32> The total number of rules returned by the query. The total entities found after filtering and sorting. This number is fixed and not affected by pagination. |
| results | Array of objects (SecurityRuleResponse) |
| pagination | object (Pagination) Default pagination is a page of 25 results. Look for the |
{- "filter": {
- "search": "string",
- "severities": [
- "SEVERE",
- "HIGH"
], - "updatedBy": [
- "string"
], - "createdBy": [
- "string"
], - "enabledState": [
- true
], - "emailNotifications": [
- "string"
], - "tags": [
- "string"
]
}, - "sort": {
- "sortByField": "SEVERITY",
- "descending": true
}, - "pagination": {
- "pageNumber": 2,
- "pageSize": 100
}
}{- "total": 500,
- "results": [
- {
- "id": 627816,
- "updatedAt": "2025-12-07T12:21:52.954Z",
- "updatedBy": "tomer@layerlog.com",
- "createdAt": "2025-12-07T12:21:52.954Z",
- "createdBy": "tomer@layerlog.com",
- "enabled": true,
- "title": "Excessive WARN levels in PROD",
- "description": "Steps to remediate...",
- "tags": [
- "network",
- "aws"
], - "output": {
- "recipients": {
- "emails": [
- "tom.a@layerlog.com"
], - "notificationEndpointIds": [
- 0
]
}, - "suppressNotificationsMinutes": 60,
- "type": "JSON"
}, - "searchTimeFrameMinutes": 5,
- "subComponents": [
- {
- "queryDefinition": {
- "query": "type:apache_access",
- "filters": {
- "bool": {
- "must": [
- {
- "match_phrase": {
- "Field": {
- "query": "value"
}
}
}
], - "must_not": [
- {
- "match_phrase": {
- "Field": {
- "query": "value"
}
}
}
]
}
}, - "groupBy": [
- "string"
], - "aggregation": {
- "aggregationType": "SUM",
- "fieldToAggregateOn": "string"
}, - "shouldQueryOnAllAccounts": false,
- "accountIdsToQueryOn": [
- 2321
]
}, - "trigger": {
- "operator": "GREATER_THAN_OR_EQUALS",
- "severityThresholdTiers": {
- "MEDIUM": 10,
- "HIGH": 100,
- "SEVERE": 300
}
}, - "output": {
- "columns": [
- {
- "fieldName": "string",
- "regex": "string",
- "sort": "DESC"
}
]
}
}
], - "correlations": {
- "correlationOperators": [
- "AND"
], - "joins": [
- {
- "0": "region",
- "1": "region"
}
]
}, - "protected": true,
- "schedule": {
- "cron": "string",
- "timezone": "string"
}, - "mitreTags": [
- "string"
]
}
], - "pagination": {
- "pageNumber": 2,
- "pageSize": 100
}
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Enables a security rule by its ID.
| id required | integer <int32> Example: 305572 Rule ID |
successful operation
US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Disables a security rule by its ID.
| id required | integer <int32> Example: 305976 Rule ID |
successful operation
A security event is logged whenever a security rule triggers in your Layerlog Cloud SIEM account.
Your Layerlog Cloud SIEM is pre-loaded with hundreds of security rules created and maintained by Layerlog's security analysts. The list continues to be expanded and updated on a regular basis. You can also add your own security rules.
To investigate into security events, you can begin by running a bulk query to fetch security event logs, either with or without applying filtering criteria. This query returns all of the events that match the query parameters and can potentially fetch events going back many months. Whenever you encounter a particular event you would like to further investigate, you can run the drilldown query to fetch the logs that triggered the security event to delve deeper into the event details.
These queries can be used to integrate with an automated response solution such as Cortex xSOAR or simply to understand your security posture and identify suspicious activity in your accounts.
US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Runs a search query in your Layerlog Cloud SIEM account to fetch the security events that match the query parameters.
You have the option to filter by rule name, rule severity, and/or event timestamp, and sort the results by time and/or severity, but this is not required. If you send the query with an empty JSON body, it returns all of the events logged in your Layerlog Cloud SIEM, going as far back as your account's retention permits.
Note: Run this endpoint with an API token for your Layerlog Security account.
| filter | object (RulesEventsFilter) Filter by rule name, rule severity, or time range. |
| sort | Array of objects (RulesEventsSortRequest) Explicit sorting rules are not required, but recommended. Otherwise the database will determine the sorting. |
| pagination | object (Pagination) Default pagination is a page of 25 results. Look for the |
successful operation
| total | integer <int32> The total number of events returned by the query. The total entities found after filtering and sorting. This number is fixed and not affected by pagination. |
| results | Array of objects (TriggeredAlert) |
| pagination | object (Pagination) Default pagination is a page of 25 results. Look for the |
{- "filter": {
- "searchTerm": "Falco",
- "severities": [
- "SEVERE"
], - "timeRange": {
- "fromDate": 1587134557,
- "toDate": 1587137557
}, - "includeMutedEvents": true
}, - "sort": [
- {
- "field": "DATE",
- "descending": true
}
], - "pagination": {
- "pageNumber": 2,
- "pageSize": 100
}
}{- "total": 500,
- "results": [
- {
- "alertId": 453345,
- "name": "AWS EC2 - Brute force SSH login attempts",
- "description": "Suggested next steps...",
- "alertSummary": "Alert if query '*' results GREATER_THAN_OR_EQUALS 5.00 in 10 minutes. Count on Group By '[userIdentity.userName, sourceIPAddress]'",
- "eventDate": 1587860455,
- "alertWindowStartDate": 1587856855,
- "alertWindowEndDate": 1587860455,
- "severity": "SEVERE",
- "alertEventId": "27cdcf45-ae12-581a-809e-17a6bbc9ae07",
- "groupBy": {
- "source_ip": "122.17.45.15",
- "hostname": "hostname1234"
}, - "tags": "threat",
- "hits": 30,
- "isMuted": true
}
], - "pagination": {
- "pageNumber": 2,
- "pageSize": 100
}
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Runs a search query in your Layerlog Log Monitoring account to fetch the logs that triggered the security rule and caused it to log a security event.
This query returns an array of parsed logs linked to a single event - it isn't a bulk action. Run this query to investigate an event and increase observability into details omitted from the security event log.
Note: Run this endpoint with an API token for your Layerlog Security account.
| filter required | object (RuleEventLogsFilter) Filter by the event's unique GUID to retrieve only the logs relevant to the event under investigation. |
| pagination | object (Pagination) Default pagination is a page of 25 results. Look for the |
successful operation
| total | integer <int32> Returns the total number of logs linked to the security event specified in the query. This number is fixed and not affected by pagination. |
| results | Array of objects Array of logs returned in answer to the query. The logs are returned in their entirety and parsed. If the logs are no longer retained in the database, the request will return empty. You can check your account's log retention policy in your log monitoring account. |
| pagination | object (Pagination) Default pagination is a page of 25 results. Look for the |
{- "filter": {
- "alertEventId": "833203f9-de71-5a12-9083-9055a6d925bb"
}, - "pagination": {
- "pageNumber": 2,
- "pageSize": 100
}
}{- "total": 5,
- "results": [
- {
- "Array of logs": null
}
], - "pagination": {
- "pageNumber": 2,
- "pageSize": 100
}
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Creates a new lookup list. After you create the list, you can run the endpoint to add elements to the list.
| name | string [ 0 .. 40 ] characters Default: "Untitled##" Name of the lookup list. If null, the list will be named |
| description | string [ 0 .. 400 ] characters A place to add a free text description of the lookup list's purpose, uses and dependencies. |
successful operation
| id | string GUID of the lookup list. |
| name | string [ 1 .. 40 ] characters Name of the lookup list. |
| description | string [ 0 .. 400 ] characters Description of the lookup list. |
{- "name": "Untitled##",
- "description": "string"
}{- "id": "7c985e09-3db6-5dc6-ae33-58403493e13f",
- "name": "string",
- "description": "string"
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Searches for lookup lists by name or ID. Can also be run without a filter to return the full list of existing lookups. Returns a paginated list of results.
| filter | object (LookupListsFilter) Filter by names that contain a term, by lookup ID, or by both. If both properties are sent, they must both be satsified ( |
| pagination | object (Pagination) Default pagination is a page of 25 results. Look for the |
successful operation
| total | integer <int32> Total number of search results. |
| results | Array of objects (LookupList) |
| pagination | object (Pagination) Default pagination is a page of 25 results. Look for the |
{- "filter": {
- "searchTerm": "servers",
- "byIds": [
- "string"
]
}, - "pagination": {
- "pageNumber": 2,
- "pageSize": 100
}
}{- "total": 0,
- "results": [
- {
- "id": "7c985e09-3db6-5dc6-ae33-58403493e13f",
- "name": "string",
- "description": "string"
}
], - "pagination": {
- "pageNumber": 2,
- "pageSize": 100
}
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Retrieves the general details for an existing lookup list.
| id required | string Example: 7c985e09-3db6-5dc6-ae33-58403493e13f GUID of the lookup list. |
successful operation
| id | string GUID of the lookup list. |
| name | string [ 1 .. 40 ] characters Name of the lookup list. |
| description | string [ 0 .. 400 ] characters Description of the lookup list. |
{- "id": "7c985e09-3db6-5dc6-ae33-58403493e13f",
- "name": "string",
- "description": "string"
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Update the name and/or description of an exisiting lookup list.
| id required | string Example: 7c985e09-3db6-5dc6-ae33-58403493e13f GUID of the lookup list. |
| id | string GUID of the lookup list. |
| name | string [ 1 .. 40 ] characters Name of the lookup list. |
| description | string [ 0 .. 400 ] characters Description of the lookup list. |
successful operation
| id | string GUID of the lookup list. |
| name | string [ 1 .. 40 ] characters Name of the lookup list. |
| description | string [ 0 .. 400 ] characters Description of the lookup list. |
{- "id": "7c985e09-3db6-5dc6-ae33-58403493e13f",
- "name": "string",
- "description": "string"
}{- "id": "7c985e09-3db6-5dc6-ae33-58403493e13f",
- "name": "string",
- "description": "string"
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Deletes a lookup list. Note that this action can affect rules, dashboards, and reports if they are dependent on the lookup list.
| id required | string Example: 7c985e09-3db6-5dc6-ae33-58403493e13f GUID of the lookup list. |
successful operation
| id | string GUID of the lookup list. |
| name | string [ 1 .. 40 ] characters Name of the lookup list. |
| description | string [ 0 .. 400 ] characters Description of the lookup list. |
{- "id": "7c985e09-3db6-5dc6-ae33-58403493e13f",
- "name": "string",
- "description": "string"
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Adds a new element to an existing lookup list. An element is a field value and comment (helpful description that does not affect the lookup functionally).
| lookupListId required | string Example: 7c985e09-3db6-5dc6-ae33-58403493e13f GUID of the lookup list. |
| value required | string [ 1 .. 80 ] characters A single field value. |
| comment | string [ 0 .. 200 ] characters Optional. A place to add a note or additional details about the value. For example, if the value is an IP address, the comment can identify the server. |
| expirationDate | integer <int64> Optional. The expiration date and time of the lookup list as UNIX epoch milliseconds. When this parameter is left empty, the lookup list does not expire. |
successful operation
| id | integer <int32> ID of the element in the Lookup list. |
| value | string [ 1 .. 80 ] characters A single field value. You should ensure that the lookup list contains a list of values all mapped to the same field. |
| comment | string <= 200 characters Optional. A place to add a note or additional details about the value. For example, if the value is an IP address, the comment can identify the server. |
| expirationDate | integer <int64> Optional. The expiration date and time of the lookup list as UNIX epoch milliseconds. When this parameter is left empty, the lookup list does not expire. |
{- "value": "54.53.1.1",
- "comment": "ABC Server",
- "expirationDate": 0
}{- "id": 0,
- "value": "54.53.1.1",
- "comment": "ABC Server",
- "expirationDate": 0
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Searches elements in a specified lookup list. Can also be run without a filter to return the full list of elements. Returns a paginated list of results.
| lookupListId required | string Example: 7c985e09-3db6-5dc6-ae33-58403493e13f GUID of the lookup list. |
| filter | object (LookupListElementsFilter) Filter for elements by value, element ID, or by comments that contain a search term. If multiple properties are sent, they must all be satisfied ( |
| pagination | object (Pagination) Default pagination is a page of 25 results. Look for the |
successful operation
| total | integer <int32> Total number of search results. The results are relvent elements contained in the lookup list. |
| results | Array of objects (LookupListElement) |
| pagination | object (Pagination) Default pagination is a page of 25 results. Look for the |
{- "filter": {
- "searchTerm": "server",
- "byIds": [
- 0
], - "byValues": [
- "string"
]
}, - "pagination": {
- "pageNumber": 2,
- "pageSize": 100
}
}{- "total": 0,
- "results": [
- {
- "id": 0,
- "value": "54.53.1.1",
- "comment": "ABC Server",
- "expirationDate": 0
}
], - "pagination": {
- "pageNumber": 2,
- "pageSize": 100
}
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Retrieves a specific lookup element by its ID.
| lookupListId required | string Example: 7c985e09-3db6-5dc6-ae33-58403493e13f GUID of the lookup list. |
| id required | integer <int32> Example: 20 ID of a specific value element contained in the lookup list. |
successful operation
| id | integer <int32> ID of the element in the Lookup list. |
| value | string [ 1 .. 80 ] characters A single field value. You should ensure that the lookup list contains a list of values all mapped to the same field. |
| comment | string <= 200 characters Optional. A place to add a note or additional details about the value. For example, if the value is an IP address, the comment can identify the server. |
| expirationDate | integer <int64> Optional. The expiration date and time of the lookup list as UNIX epoch milliseconds. When this parameter is left empty, the lookup list does not expire. |
{- "id": 0,
- "value": "54.53.1.1",
- "comment": "ABC Server",
- "expirationDate": 0
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Changes the value and/or comment of a specific element, identified by its ID.
| lookupListId required | string Example: 7c985e09-3db6-5dc6-ae33-58403493e13f GUID of the lookup list. |
| id required | integer <int32> Example: 20 ID of a specific value element contained in the lookup list. |
| id | integer <int32> ID of the element in the Lookup list. |
| value | string [ 1 .. 80 ] characters A single field value. You should ensure that the lookup list contains a list of values all mapped to the same field. |
| comment | string <= 200 characters Optional. A place to add a note or additional details about the value. For example, if the value is an IP address, the comment can identify the server. |
| expirationDate | integer <int64> Optional. The expiration date and time of the lookup list as UNIX epoch milliseconds. When this parameter is left empty, the lookup list does not expire. |
successful operation
| id | integer <int32> ID of the element in the Lookup list. |
| value | string [ 1 .. 80 ] characters A single field value. You should ensure that the lookup list contains a list of values all mapped to the same field. |
| comment | string <= 200 characters Optional. A place to add a note or additional details about the value. For example, if the value is an IP address, the comment can identify the server. |
| expirationDate | integer <int64> Optional. The expiration date and time of the lookup list as UNIX epoch milliseconds. When this parameter is left empty, the lookup list does not expire. |
{- "id": 0,
- "value": "54.53.1.1",
- "comment": "ABC Server",
- "expirationDate": 0
}{- "id": 0,
- "value": "54.53.1.1",
- "comment": "ABC Server",
- "expirationDate": 0
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Deletes a specific lookup element, identified by its ID.
| lookupListId required | string Example: 7c985e09-3db6-5dc6-ae33-58403493e13f GUID of the lookup list. |
| id required | integer <int32> Example: 20 ID of a specific value element contained in the lookup list. |
successful operation
| id | integer <int32> ID of the element in the Lookup list. |
| value | string [ 1 .. 80 ] characters A single field value. You should ensure that the lookup list contains a list of values all mapped to the same field. |
| comment | string <= 200 characters Optional. A place to add a note or additional details about the value. For example, if the value is an IP address, the comment can identify the server. |
| expirationDate | integer <int64> Optional. The expiration date and time of the lookup list as UNIX epoch milliseconds. When this parameter is left empty, the lookup list does not expire. |
{- "id": 0,
- "value": "54.53.1.1",
- "comment": "ABC Server",
- "expirationDate": 0
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Adds an array of elements to an existing Lookup list and sets the expiration date for the lookup.
| lookupListId required | string Example: 7c985e09-3db6-5dc6-ae33-58403493e13f GUID of the lookup list. |
| defaultTTL | integer <int64> Optional. The expiration date and time of the lookup list as UNIX epoch milliseconds. When this parameter is left empty, the lookup list does not expire. |
| value required | string [ 1 .. 80 ] characters A single field value. |
| comment | string [ 0 .. 200 ] characters Optional. A place to add a note or additional details about the value. For example, if the value is an IP address, the comment can identify the server. |
| expirationDate | integer <int64> Optional. The expiration date and time of the lookup list as UNIX epoch milliseconds. When this parameter is left empty, the lookup list does not expire. |
successful operation
| status | string Enum: "SUCCESS" "PARTIAL_FAILED" "FAILED" Returns the status of the request. |
| numOfAddedElements | integer <int32> Total number of new elements added to the Lookup list. |
| numOfMergedElements | integer <int32> Total number of elements merged with duplicate values in the existing list. (In other words, the number of existing elements that were updated by the request.) |
[- {
- "value": "54.53.1.1",
- "comment": "ABC Server",
- "expirationDate": 0
}
]{- "status": "SUCCESS",
- "numOfAddedElements": 32,
- "numOfMergedElements": 42
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Returns a list of users in the main account and all associated sub accounts as an array of JSON objects per account.
If a user appears in multiple accounts, it will be listed separately under each account.
Note: Must be run with an API token belonging to the main account.
successful operation
| id | integer <int32> ID of the user |
| username | string Email address used to sign in to Layerlog |
| fullName | string First and last name of the user |
| accountID | integer <int32> Layerlog account ID. |
| role | string User role. Can be |
| active | boolean If the user is active, |
curl -X GET "https://api.layerlog.com/v1/user-management/recursive" -H "accept: application/json" -H "content-type: application/json" -H "X-API-TOKEN: <token>"
[- {
- "id": 33265,
- "username": "steve@winslows.com",
- "fullName": "Stefan Urkel",
- "accountID": 55555,
- "role": "USER_ROLE_READONLY",
- "active": true
}
]US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Returns a list of users as an array of JSON objects.
successful operation
| id | integer <int32> ID of the user |
| username | string Email address used to sign in to Layerlog |
| fullName | string First and last name of the user |
| accountID | integer <int32> Layerlog account ID. |
| role | string User role. Can be |
| active | boolean If the user is active, |
curl -X GET "https://api.layerlog.com/v1/user-management" -H "accept: application/json" -H "content-type: application/json" -H "X-API-TOKEN: <token>"
[- {
- "id": 33265,
- "username": "steve@winslows.com",
- "fullName": "Stefan Urkel",
- "accountID": 55555,
- "role": "USER_ROLE_READONLY",
- "active": true
}
]US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Creates a new user with specified permissions to access your log data
| username required | string ^[_A-Za-z0-9-\+]+(\.[_A-Za-z0-9-]+)*@[A-Za-z0-9-]+(\.[A-Za-z0-9-]+)*(\.[A-Za-z]{2,})$ Email address used to sign in to Layerlog |
| fullName required | string The user's first and last name |
| accountID required | integer <int32> ID of the account attached to the user |
| role | string User role. Can be |
successful operation
| id | integer <int32> ID of the user |
{- "username": "drvenkman@gbusters.com",
- "fullName": "Peter Venkman",
- "accountID": 0,
- "role": "USER_ROLE_READONLY"
}{- "id": 13485
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Returns user information and permissions as a JSON object
| id required | integer <int32> ID of the user |
successful operation
| id | integer <int32> ID of the user |
| username | string Email address used to sign in to Layerlog |
| fullName | string First and last name of the user |
| accountID | integer <int32> Layerlog account ID. |
| role | string User role. Can be |
| active | boolean If the user is active, |
curl -X GET "https://api.layerlog.com/v1/user-management/55555" -H "accept: application/json" -H "content-type: application/json" -H "X-API-TOKEN: <token>"
{- "id": 33265,
- "username": "steve@winslows.com",
- "fullName": "Stefan Urkel",
- "accountID": 55555,
- "role": "USER_ROLE_READONLY",
- "active": true
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Changes an existing user's details or permissions.
| id required | integer <int32> Example: 11300 ID of the user |
| username required | string ^[_A-Za-z0-9-\+]+(\.[_A-Za-z0-9-]+)*@[A-Za-z0-9-]+(\.[A-Za-z0-9-]+)*(\.[A-Za-z]{2,})$ Email address used to sign in to Layerlog |
| fullName required | string The user's first and last name |
| accountID required | integer <int32> ID of the account attached to the user |
| role | string User role. Can be |
successful operation
| id | integer <int32> ID of the user |
{- "username": "drvenkman@gbusters.com",
- "fullName": "Peter Venkman",
- "accountID": 0,
- "role": "USER_ROLE_READONLY"
}{- "id": 13485
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Revokes a user's access to the account. The API token determines the account the user will be deleted from.
| id required | integer <int32> Example: 11300 ID of the user |
successful operation
curl -X DELETE "https://api.layerlog.com/v1/user-management/11300" -H "accept: application/json" -H "X-API-TOKEN: <token>"
US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Deletes a user from the main account and all associated sub accounts. Must be run with an API token for the main account.
The user will not be deleted from accounts for which there are no other users. In other words, any accounts where the user is the last user will be skipped. The success message will list accounts that were skipped.
| id required | integer <int32> Example: 11300 ID of the user |
successful operation
curl -X DELETE "https://api.layerlog.com/v1/user-management/11300/recursive" -H "accept: application/json" -H "X-API-TOKEN: <token>"
US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Locks a user's access to your accounts
| id required | integer <int32> Example: 3325 ID of the user |
successful operation
curl -X POST "https://api.layerlog.com/v1/user-management/suspend/11300" -H "accept: application/json" -H "X-API-TOKEN: <token>"
US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Restores a suspended user's access to your accounts
| id required | integer <int32> Example: 3325 ID of the user |
successful operation
curl -X POST "https://api.layerlog.com/v1/user-management/unsuspend/11300" -H "accept: application/json" -H "X-API-TOKEN: <token>"
US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Suspends a user from the main account and all associated sub accounts. Must be run with an API token for the main account. The user will not be suspended from accounts for which there are no other users. In other words, any accounts where the user is the last user will be skipped. The success message will list accounts that were skipped.
| id required | integer <int32> Example: 11300 ID of the user |
successful operation
| message | string |
curl -X PUT "https://api.layerlog.com/v1/user-management/11300/suspend/recursive" -H "accept: application/json" -H "X-API-TOKEN: <token>"
{- "message": "Finished suspending user 11300 from accounts."
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Unsuspends a user from the main account and all associated sub accounts. Must be run with an API token for the main account.
| id required | integer <int32> Example: 11300 ID of the user |
successful operation
| message | string |
curl -X PUT "https://api.layerlog.com/v1/user-management/11300/suspend/recursive" -H "accept: application/json" -H "X-API-TOKEN: <token>"
{- "message": "Finished unsuspending user 11300 from accounts."
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Returns a list of all existing authentication groups
successful operation
| group | string Group name |
| userRole | string User role |
curl -X GET "https://api.layerlog.com/v1/authentication/groups" -H "accept: application/json" -H "X-API-TOKEN: <token>"
[- {
- "group": "group",
- "userRole": "role"
}
]US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Creates/updates existing authentication groups. To create or update groups, you need to send all these groups in the payload. With every update, all running user sessions will be terminated, so the users need to login again. To delete a group, you need to exclude this group from the payload that you send to update groups. With every deletion, all running user sessions will be terminated, so the users need to login again.
Example 1. Create groups called group1 and group2. The payload will contain [ { \"group\": \”group1\”, \"userRole\": \”USER_ROLE_READONLY\” }, { \"group\": \”group2\”, \"userRole\": \”USER_ROLE_ADMIN\” }]. As a result, the two groups will be created with specified permissions.
Example 2. Update existing groups called group1 and group2. The payload will contain [ { \"group\": \”group1\”, \"userRole\": \”USER_ROLE_ADMIN” }, { \"group\": \”group2\”, \"userRole\": \”USER_ROLE_READONLY\” }]. As a result, the two groups will be updated with specified permissions.
Example 3. Delete group called group1 from the existing two groups: group1 and group2. The payload will contain [{ \"group\": \”group2\”, \"userRole\": \”USER_ROLE_READONLY\” }]. As a result, group1 will be deleted, as it is excluded from the payload.
| group | string Group name |
| userRole | string User role |
successful operation
| group | string Group name |
| userRole | string User role |
[- {
- "group": "group",
- "userRole": "role"
}
][- {
- "group": "group",
- "userRole": "role"
}
]US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Returns the account name as a string and the account ID as an integer. Good for testing or for confirming that you’re using an API token from the right account.
successful operation
| accountName | string Name of the account |
| accountId | integer <int32> ID of the account |
curl -X GET "https://api.layerlog.com/v2/whoami" -H "Content-Type: application/json" -H "X-API-TOKEN: <token>"
{- "accountName": "Jean Valjean",
- "accountId": 24601
}Use these API requests to manage time-based log accounts:
Flexible storage and shared volume allow accounts to share indexing capacity.
To enable shared volume, go to the Manage accounts page in the Layerlog app and toggle the button Use flexible volume to turn it on.
To determine whether flexible storage is enabled, run a Get request to retrieve account details.
isFlexible is true, flexible storage is enabled and every account has reserved capacity set by the parameter reservedDailyGB.reservedDailyGB is null.US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Returns account settings for the main account and all of its associated sub accounts.
successful operation
| accountId | integer <int32> ID of the account |
any Nullable Email address of the user who created the account | |
| accountName | string Name of the account |
| isFlexible | boolean Default: false Indicates whether the plan has shared volume enabled. If If |
| reservedDailyGB | number <float> Default: null
|
| maxDailyGB | number <float> The maximum volume of data that an account can index per calendar day.
|
| retentionDays | integer <int32> How long log data is retained in the Elasticsearch Index and searchable in Kibana, in days. |
| searchable | boolean (Searchable) Default: false If other accounts can search this account's logs, |
| accessible | boolean (Accessible) Default: false If users of the main account can access this account, |
| docSizeSetting | boolean (DocSizeSetting) Default: false If document size is attached to logs, |
| sharingObjectsAccounts | Array of objects (SharingAccount) Accounts that have permissions to access this account's Kibana objects. |
| utilizationSettings | object (AccountUtilizationSettings) Settings for logging metrics on your account utilization, such as used and expected data volume at current indexing rate. |
curl --request GET --url "https://api.layerlog.com/v1/account-management/time-based-accounts" --header "X-API-TOKEN: <token>"
[- {
- "accountId": 99999,
- "email": null,
- "accountName": "404 errors",
- "isFlexible": true,
- "reservedDailyGB": 3,
- "maxDailyGB": 5,
- "retentionDays": 5,
- "searchable": true,
- "accessible": false,
- "docSizeSetting": true,
- "sharingObjectsAccounts": [
- {
- "accountId": 88888,
- "accountName": "dev group 8"
}
], - "utilizationSettings": {
- "frequencyMinutes": 5,
- "utilizationEnabled": true
}
}
]US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Creates a new logging sub account. Must be run with an API token from the main account.
| email required | string ^[_A-Za-z0-9-\+]+(\.[_A-Za-z0-9-]+)*@[A-Za-z0-9-]+(\.[A-Za-z0-9-]+)*(\.[A-Za-z]{2,})$ Account administrator's email address |
| accountName required | string Name of the account |
| isFlexible | boolean Default: false |
| reservedDailyGB | number <float> Default: null
|
| maxDailyGB | number <float> The maximum volume of data that an account can index per calendar day.
|
| retentionDays required | integer <int32> >= 1 How long log data is stored and searchable in Kibana, in days. |
| searchable | boolean (Searchable) Default: false If other accounts can search this account's logs, |
| accessible | boolean (Accessible) Default: false If users of the main account can access this account, |
| sharingObjectsAccounts required | Array of integers <int32> IDs of accounts that can access this account's data. The array is required, but can be empty. |
| docSizeSetting | boolean (DocSizeSetting) Default: false If document size is attached to logs, |
| utilizationSettings | object (AccountUtilizationSettings) Settings for logging metrics on your account utilization, such as used and expected data volume at current indexing rate. |
successful operation
| accountId | integer <int32> ID of the account |
{- "email": "destek@layerlog.com",
- "accountName": "AWS Lambda svr 3",
- "isFlexible": false,
- "reservedDailyGB": 3,
- "maxDailyGB": 5,
- "retentionDays": 5,
- "searchable": true,
- "accessible": false,
- "sharingObjectsAccounts": [
- [
- [
- 88888,
- 55555
], - [ ]
]
], - "docSizeSetting": true,
- "utilizationSettings": {
- "frequencyMinutes": 5,
- "utilizationEnabled": true
}
}{- "accountId": 99999
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Returns account configuration settings as a JSON object. Must be run with an API token from the main account.
| id required | integer <int32> Example: 99999 ID of the account to retrieve |
successful operation
| accountId | integer <int32> ID of the account |
any Nullable Email address of the user who created the account | |
| accountName | string Name of the account |
| isFlexible | boolean Default: false Indicates whether the plan has shared volume enabled. If If |
| reservedDailyGB | number <float> Default: null
|
| maxDailyGB | number <float> The maximum volume of data that an account can index per calendar day.
|
| retentionDays | integer <int32> How long log data is retained in the Elasticsearch Index and searchable in Kibana, in days. |
| searchable | boolean (Searchable) Default: false If other accounts can search this account's logs, |
| accessible | boolean (Accessible) Default: false If users of the main account can access this account, |
| docSizeSetting | boolean (DocSizeSetting) Default: false If document size is attached to logs, |
| sharingObjectsAccounts | Array of objects (SharingAccount) Accounts that have permissions to access this account's Kibana objects. |
| utilizationSettings | object (AccountUtilizationSettings) Settings for logging metrics on your account utilization, such as used and expected data volume at current indexing rate. |
curl -X GET "https://api.layerlog.com/v1/account-management/time-based-accounts/99999" -H "accept: application/json" -H "content-type: application/json" -H "X-API-TOKEN: <token>"
{- "accountId": 99999,
- "email": null,
- "accountName": "404 errors",
- "isFlexible": true,
- "reservedDailyGB": 3,
- "maxDailyGB": 5,
- "retentionDays": 5,
- "searchable": true,
- "accessible": false,
- "docSizeSetting": true,
- "sharingObjectsAccounts": [
- {
- "accountId": 88888,
- "accountName": "dev group 8"
}
], - "utilizationSettings": {
- "frequencyMinutes": 5,
- "utilizationEnabled": true
}
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Updates the account settings of a main account or sub account, with some exceptions, noted below:
retentionDays cannot be updated. It is determined by the plan you purchased.isFlexible=false, the parameters maxDailyGB and reservedDailyGB cannot be updated using this endpoint.| id required | integer <int32> Example: 99999 ID of the account to update |
| accountName required | string Name of the account |
| reservedDailyGB | number <float> Default: null
|
| maxDailyGB | number <float> The maximum volume of data that an account can index per calendar day.
|
| retentionDays | integer <int32> >= 1 This is how long log data is stored and searchable in Kibana, in days. |
| searchable | boolean (Searchable) Default: false If other accounts can search this account's logs, |
| accessible | boolean (Accessible) Default: false If users of the main account can access this account, |
| sharingObjectsAccounts required | Array of integers <int32> IDs of accounts that can access this account's data. The array is required, but can be empty. |
| docSizeSetting | boolean (DocSizeSetting) Default: false If document size is attached to logs, |
| utilizationSettings | object (AccountUtilizationSettings) Settings for logging metrics on your account utilization, such as used and expected data volume at current indexing rate. |
successful operation
{- "accountName": "AWS Lambda svr 3",
- "reservedDailyGB": 3,
- "maxDailyGB": 5,
- "retentionDays": 5,
- "searchable": true,
- "accessible": false,
- "sharingObjectsAccounts": [
- [
- [
- 88888,
- 55555
], - [ ]
]
], - "docSizeSetting": true,
- "utilizationSettings": {
- "frequencyMinutes": 5,
- "utilizationEnabled": true
}
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Deletes a sub account by its account ID. Must be run with an API token from the main account.
| id required | integer <int32> Example: 99999 ID of the account to be deleted. |
successful operation
curl -X DELETE "https://api.layerlog.com/v1/account-management/time-based-accounts/88888" -H "accept: application/json" -H "content-type: application/json" -H "X-API-TOKEN: <token>"
US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Returns detailed account information for the main account and all of its associated sub accounts. Information includes usage and sharing permissions for Kibana objects.
successful operation
| subAccountRelation | object (SubAccountRelation) Properties of the sub accounts related to this main account |
| account | object (AccountView) |
| sharingObjectsAccounts | Array of objects (AccountView) |
| utilizationSettings | object (AccountUtilizationSettings) Settings for logging metrics on your account utilization, such as used and expected data volume at current indexing rate. |
| dailyUsagesList | object (DailyUsagesList) |
| docSizeSetting | boolean (DocSizeSetting) Default: false If document size is attached to logs, |
curl -X GET "https://api.layerlog.com/v1/account-management/time-based-accounts/detailed" -H "accept: application/json" -H "content-type: application/json" -H "X-API-TOKEN: <token>"
[- {
- "subAccountRelation": {
- "ownerAccountId": 88765,
- "subAccountId": 89234,
- "searchable": true,
- "accessible": false,
- "createdDate": 1627489797000,
- "lastUpdatedDate": 1627489797000,
- "lastUpdaterUserId": 33342,
- "type": "SUB_ACCOUNT"
}, - "account": {
- "accountId": 0,
- "accountName": "string",
- "accountToken": "string",
- "active": true,
- "esIndexPrefix": "string",
- "isFlexible": true,
- "reservedDailyGB": 3,
- "maxDailyGB": 5,
- "retentionDays": 0
}, - "sharingObjectsAccounts": [
- {
- "accountId": 0,
- "accountName": "string",
- "accountToken": "string",
- "active": true,
- "esIndexPrefix": "string",
- "isFlexible": true,
- "reservedDailyGB": 3,
- "maxDailyGB": 5,
- "retentionDays": 0
}
], - "utilizationSettings": {
- "frequencyMinutes": 5,
- "utilizationEnabled": true
}, - "dailyUsagesList": {
- "usage": [
- {
- "date": 0,
- "bytes": 0
}
]
}, - "docSizeSetting": true
}
]US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Returns detailed account information. Must be run with an API token from the main account.
| id required | integer <int32> Example: 99999 ID of the account to retrieve |
successful operation
| subAccountRelation | object (SubAccountRelation) Properties of the sub accounts related to this main account |
| account | object (AccountView) |
| sharingObjectsAccounts | Array of objects (AccountView) |
| utilizationSettings | object (AccountUtilizationSettings) Settings for logging metrics on your account utilization, such as used and expected data volume at current indexing rate. |
| dailyUsagesList | object (DailyUsagesList) |
| docSizeSetting | boolean (DocSizeSetting) Default: false If document size is attached to logs, |
curl -X GET "https://api.layerlog.com/v1/account-management/time-based-accounts/detailed/99999" -H "accept: application/json" -H "content-type: application/json" -H "X-API-TOKEN: <token>"
{- "subAccountRelation": {
- "ownerAccountId": 88765,
- "subAccountId": 89234,
- "searchable": true,
- "accessible": false,
- "createdDate": 1627489797000,
- "lastUpdatedDate": 1627489797000,
- "lastUpdaterUserId": 33342,
- "type": "SUB_ACCOUNT"
}, - "account": {
- "accountId": 0,
- "accountName": "string",
- "accountToken": "string",
- "active": true,
- "esIndexPrefix": "string",
- "isFlexible": true,
- "reservedDailyGB": 3,
- "maxDailyGB": 5,
- "retentionDays": 0
}, - "sharingObjectsAccounts": [
- {
- "accountId": 0,
- "accountName": "string",
- "accountToken": "string",
- "active": true,
- "esIndexPrefix": "string",
- "isFlexible": true,
- "reservedDailyGB": 3,
- "maxDailyGB": 5,
- "retentionDays": 0
}
], - "utilizationSettings": {
- "frequencyMinutes": 5,
- "utilizationEnabled": true
}, - "dailyUsagesList": {
- "usage": [
- {
- "date": 0,
- "bytes": 0
}
]
}, - "docSizeSetting": true
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Returns an array of JSON objects, where each object shows information for a shared token filter.
Note: This endpoint requires permissions that must be set by our Support team. Please email destek@layerlog.com for assistance.
successful operation
| id | integer <int32> ID of the shared token filter |
| field required | string ^[a-zA-Z0-9_@.-]+$ The field to filter |
| value required | string ^[a-zA-Z0-9_@.-]+$ The filter query |
| description | string Name of the filter |
not found
| message | string The shared token or query filter could not be found |
forbidden
| message | string Insufficient privileges. Contact our Support team for access to this API feature. |
curl -X GET "https://api.layerlog.com/v1/shared-tokens/filters" -H "accept: application/json" -H "content-type: application/json" -H "X-API-TOKEN: <token>"
[- {
- "id": 339,
- "field": "string",
- "value": "string",
- "description": "503 responses"
}
]US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Creates a new shared token filter.
Note: This endpoint requires permissions that must be set by our Support team. Please email destek@layerlog.com for assistance.
| id | integer <int32> ID of the shared token filter |
| field required | string ^[a-zA-Z0-9_@.-]+$ The field to filter |
| value required | string ^[a-zA-Z0-9_@.-]+$ The filter query |
| description | string Name of the filter |
successful operation
| id | integer <int32> ID of the shared token filter |
| field required | string ^[a-zA-Z0-9_@.-]+$ The field to filter |
| value required | string ^[a-zA-Z0-9_@.-]+$ The filter query |
| description | string Name of the filter |
not found
| message | string The shared token or query filter could not be found |
forbidden
| message | string Insufficient privileges. Contact our Support team for access to this API feature. |
{- "id": 339,
- "field": "string",
- "value": "string",
- "description": "503 responses"
}{- "id": 339,
- "field": "string",
- "value": "string",
- "description": "503 responses"
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Returns a shared token filter as a JSON object.
Note: This endpoint requires permissions that must be set by our Support team. Please email destek@layerlog.com for assistance.
| id required | integer <int32> ID of the shared token filter |
successful operation
| id | integer <int32> ID of the shared token filter |
| field required | string ^[a-zA-Z0-9_@.-]+$ The field to filter |
| value required | string ^[a-zA-Z0-9_@.-]+$ The filter query |
| description | string Name of the filter |
not found
| message | string The shared token or query filter could not be found |
forbidden
| message | string Insufficient privileges. Contact our Support team for access to this API feature. |
curl -X GET "https://api.layerlog.com/v1/shared-tokens/filters/345" -H "accept: application/json" -H "content-type: application/json" -H "X-API-TOKEN: <token>"
{- "id": 339,
- "field": "string",
- "value": "string",
- "description": "503 responses"
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Deletes a shared token filter.
Note: This endpoint requires permissions that must be set by our Support team. Please email destek@layerlog.com for assistance.
| id required | integer <int32> ID of the shared token filter |
successful operation
not found
| message | string The shared token or query filter could not be found |
forbidden
| message | string Insufficient privileges. Contact our Support team for access to this API feature. |
curl -X DELETE "https://api.layerlog.com/v1/shared-tokens/filters/345" -H "accept: application/json" -H "content-type: application/json" -H "X-API-TOKEN: <token>"
{- "message": "token with id 12345 not found for account 54321"
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Returns a shared token as a JSON object.
Note: This endpoint requires permissions that must be set by our Support team. Please email destek@layerlog.com for assistance.
| id required | integer <int32> ID of the shared token |
successful operation
| id | integer <int32> ID of the shared token |
| name | string Descriptive name of the token |
| token | string The token |
| filters | Array of integers <int32> Array of filter IDs attached to each token. If no filter is attached, |
not found
| message | string The shared token or query filter could not be found |
forbidden
| message | string Insufficient privileges. Contact our Support team for access to this API feature. |
curl -X GET "https://api.layerlog.com/v1/shared-tokens/1242" -H "accept: application/json" -H "content-type: application/json" -H "X-API-TOKEN: <token>"
{- "id": 1241,
- "name": "Snapshotting token",
- "token": "6c36edf51-cf93883aa35-5bc6ce6-7bcfe60d87",
- "filters": [
- 339,
- 340
]
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Changes the filters attached to a shared token.
Note: This endpoint requires permissions that must be set by our Support team. Please email destek@layerlog.com for assistance.
| id required | integer <int32> |
| filters required | Array of integers <int32> IDs of filters to attach to the token. To remove all filters, use an empty array |
successful operation
| id | integer <int32> ID of the shared token |
| name | string Descriptive name of the token |
| token | string The token |
| filters | Array of integers <int32> Array of filter IDs attached to each token. If no filter is attached, |
not found
| message | string The shared token or query filter could not be found |
forbidden
| message | string Insufficient privileges. Contact our Support team for access to this API feature. |
{- "filters": [
- 339
]
}{- "id": 1241,
- "name": "Snapshotting token",
- "token": "6c36edf51-cf93883aa35-5bc6ce6-7bcfe60d87",
- "filters": [
- 339,
- 340
]
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Deletes a shared token.
Note: This endpoint requires permissions that must be set by our Support team. Please email destek@layerlog.com for assistance.
| id required | integer <int32> ID of the shared token |
successful operation
not found
| message | string The shared token or query filter could not be found |
forbidden
| message | string Insufficient privileges. Contact our Support team for access to this API feature. |
curl -X DELETE "https://api.layerlog.com/v1/shared-tokens/1250" -H "accept: application/json" -H "content-type: application/json" -H "X-API-TOKEN: <token>"
{- "message": "token with id 12345 not found for account 54321"
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Returns an array of JSON objects, where each object shows information for a shared token.
Note: This endpoint requires permissions that must be set by our Support team. Please email destek@layerlog.com for assistance.
successful operation
| id | integer <int32> ID of the shared token |
| name | string Descriptive name of the token |
| token | string The token |
| filters | Array of integers <int32> Array of filter IDs attached to each token. If no filter is attached, |
not found
| message | string The shared token or query filter could not be found |
forbidden
| message | string Insufficient privileges. Contact our Support team for access to this API feature. |
curl -X GET "https://api.layerlog.com/v1/shared-tokens" -H "accept: application/json" -H "content-type: application/json" -H "X-API-TOKEN: <token>"
[- {
- "id": 1241,
- "name": "Snapshotting token",
- "token": "6c36edf51-cf93883aa35-5bc6ce6-7bcfe60d87",
- "filters": [
- 339,
- 340
]
}
]US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Creates a new shared token.
Note: This endpoint requires permissions that must be set by our Support team. Please email destek@layerlog.com for assistance.
| tokenName | string Default: "string" Name of the token |
| filters | Array of integers <int32> IDs of filters to attach to the token |
successful operation
| id | integer <int32> ID of the shared token |
| name | string Descriptive name of the token |
| token | string The token |
| filters | Array of integers <int32> Array of filter IDs attached to each token. If no filter is attached, |
not found
| message | string The shared token or query filter could not be found |
forbidden
| message | string Insufficient privileges. Contact our Support team for access to this API feature. |
{- "tokenName": "Support team token",
- "filters": [
- 339
]
}{- "id": 1241,
- "name": "Snapshotting token",
- "token": "6c36edf51-cf93883aa35-5bc6ce6-7bcfe60d87",
- "filters": [
- 339,
- 340
]
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Creates a new API token for a sub account. Must be run with an API token of the owner account. Once created, you can view the details for this new token in Manage tokens > API tokens, when you are logged in to the relevant sub account.
| name | string Default: "string" The name provided in the request for a new API token for the sub account |
| accountId | integer <int32> Layerlog sub account ID. |
successful operation
| id | integer <int32> ID of the newly created API token for the sub account |
| name | string The name of the newly created API token for the sub account. Uses the name provided in the request. |
| token | string The API token |
| createdAt | Instant The time at which the new sub account API token was created |
Bad Request
| message | string Bad Request. The request cannot be completed. Errors may include malformed request syntax, invalid request message parameters, and so on. |
Unauthorized
| message | string Unauthorized. Attempted to create an API token for a sub account with insufficient or missing credentials for the main or owner account. Please contact our Support team for access to this API feature via destek@layerlog.com. |
Forbidden
| message | string Forbidden. Attempted to create an API token for a sub account with an invalid owner account token. This operation requires a valid API token for the owner account. |
Not Found
| message | string Not Found. Could not find the sub account associated with this request or the relevant owner account for the sub account. |
{- "name": "newTokenTest999",
- "accountId": 160343
}{- "id": 7386,
- "name": "newTokenTest999",
- "token": "c498fbc3-a3ac-4676-ad09-689854b5cbbd\"",
- "createdAt": 1621858311
}Layerlog can send notifications to your preferred workspaces, such as Opsgenie, BigPanda, PagerDuty, and Slack.
Notifications are typically sent when alerts are triggered, when a user shares a Kibana object, or when Layerlog Insights identifies new exceptions in your logs.
Use these API endpoints to create, update, or delete notification endpoints. If you configure a custom endpoint, you can configure the notification message body. Otherwise, you can use any of the available preconfigured endpoints.
US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Creates a new Slack notification endpoint or sends a test message to Slack
| test | boolean Default: false To send a test message to the endpoint, Note: If set to |
| title | string Name of the endpoint |
| description | string Detailed description of the endpoint |
| url | string Your Slack webhook URL |
successful operation
| id | integer <int32> ID of the notification endpoint. If the API call was made where |
{- "title": "New Slack endpoint",
- "description": "Sends notifications to logzio-alerts channel",
}{- "id": 88
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Updates a Slack notification endpoint or sends a test message to Slack
| id required | integer <int32> ID of the notification endpoint |
| test | boolean Default: false To send a test message to the endpoint, Note: If set to |
| title | string Name of the endpoint |
| description | string Detailed description of the endpoint |
| url | string Your Slack webhook URL |
successful operation
| id | integer <int32> ID of the notification endpoint. If the API call was made where |
{- "title": "New Slack endpoint",
- "description": "Sends notifications to logzio-alerts channel",
}{- "id": 88
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Creates a new notification endpoint for a custom integration or sends a test message to the custom endpoint.
| test | boolean Default: false To send a test message to the endpoint, Note: If set to |
| title | string Name of the endpoint |
| description | string Detailed description of the endpoint |
| url | string URL where the notification will be sent |
| method | string The HTTP used to send the notification |
| headers | string Header parameters to include, as comma-separated key-value pairs |
| bodyTemplate | object JSON object that serves as the template for the message body. |
successful operation
| id | integer <int32> ID of the notification endpoint. If the API call was made where |
{- "title": "New custom endpoint",
- "description": "Sends notifications to my custom endpoint",
- "method": "POST",
- "headers": "authKey=6e30-60a9-3591",
- "bodyTemplate": {
- "subject": "Alert from Layerlog",
- "message": {
- "severity": "LOW",
- "body": "Check Layerlog for log activity"
}
}
}{- "id": 88
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Updates a new notification endpoint for a custom integration or sends a test message to the custom endpoint.
| id required | integer <int32> |
| test | boolean Default: false To send a test message to the endpoint, Note: If set to |
| title | string Name of the endpoint |
| description | string Detailed description of the endpoint |
| url | string URL where the notification will be sent |
| method | string The HTTP used to send the notification |
| headers | string Header parameters to include, as comma-separated key-value pairs |
| bodyTemplate | object JSON object that serves as the template for the message body. |
successful operation
| id | integer <int32> ID of the notification endpoint. If the API call was made where |
{- "title": "New custom endpoint",
- "description": "Sends notifications to my custom endpoint",
- "method": "POST",
- "headers": "authKey=6e30-60a9-3591",
- "bodyTemplate": {
- "subject": "Alert from Layerlog",
- "message": {
- "severity": "LOW",
- "body": "Check Layerlog for log activity"
}
}
}{- "id": 88
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Creates a new PagerDuty notification endpoint or sends a test message to PagerDuty.
| test | boolean Default: false To send a test message to the endpoint, Note: If set to |
| title | string Name of the endpoint |
| description | string Detailed description of the endpoint |
| serviceKey | string API key from PagerDuty |
successful operation
| id | integer <int32> ID of the notification endpoint. If the API call was made where |
{- "title": "PagerDuty endpoint",
- "description": "Sends notifications to PagerDuty",
- "serviceKey": "94ad63254a1397a51a1ae340c4f10890"
}{- "id": 88
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Updates a PagerDuty notification endpoint or sends a test message to PagerDuty
| id required | integer <int32> ID of the notification endpoint |
| test | boolean Default: false To send a test message to the endpoint, Note: If set to |
| title | string Name of the endpoint |
| description | string Detailed description of the endpoint |
| serviceKey | string API key from PagerDuty |
successful operation
| id | integer <int32> ID of the notification endpoint. If the API call was made where |
{- "title": "PagerDuty endpoint",
- "description": "Sends notifications to PagerDuty",
- "serviceKey": "94ad63254a1397a51a1ae340c4f10890"
}{- "id": 88
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Creates a new BigPanda notification endpoint or sends a test message to BigPanda.
| test | boolean Default: false To send a test message to the endpoint, Note: If set to |
| title | string Name of the endpoint |
| description | string Detailed description of the endpoint |
| apiToken | string API authentication token from BigPanda |
| appKey | string Application key from BigPanda |
successful operation
| id | integer <int32> ID of the notification endpoint. If the API call was made where |
{- "title": "BigPanda endpoint",
- "description": "Sends notifications to BigPanda",
- "apiToken": "94ad63254a1397a51a1ae340c4f10890",
- "appKey": "c687f9231619d7d7b959f33e4cc821a5"
}{- "id": 88
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Updates a BigPanda notification endpoint or sends a test message to BigPanda
| id required | integer <int32> ID of the notification endpoint |
| test | boolean Default: false To send a test message to the endpoint, Note: If set to |
| title | string Name of the endpoint |
| description | string Detailed description of the endpoint |
| apiToken | string API authentication token from BigPanda |
| appKey | string Application key from BigPanda |
successful operation
| id | integer <int32> ID of the notification endpoint. If the API call was made where |
{- "title": "BigPanda endpoint",
- "description": "Sends notifications to BigPanda",
- "apiToken": "94ad63254a1397a51a1ae340c4f10890",
- "appKey": "c687f9231619d7d7b959f33e4cc821a5"
}{- "id": 88
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Creates a new Datadog notification endpoint or sends a test message to Datadog.
| test | boolean Default: false To send a test message to the endpoint, Note: If set to |
| title | string Name of the endpoint |
| description | string Detailed description of the endpoint |
| apiKey | string API key from Datadog |
successful operation
| id | integer <int32> ID of the notification endpoint. If the API call was made where |
{- "title": "Datadog endpoint",
- "description": "Sends notifications to Datadog",
- "apiKey": "c687f9231619d7d7b959f33e4cc821a5"
}{- "id": 88
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Updates a Datadog notification endpoint or sends a test message to Datadog
| id required | integer <int32> ID of the notification endpoint |
| test | boolean Default: false To send a test message to the endpoint, Note: If set to |
| title | string Name of the endpoint |
| description | string Detailed description of the endpoint |
| apiKey | string API key from Datadog |
successful operation
| id | integer <int32> ID of the notification endpoint. If the API call was made where |
{- "title": "Datadog endpoint",
- "description": "Sends notifications to Datadog",
- "apiKey": "c687f9231619d7d7b959f33e4cc821a5"
}{- "id": 88
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Creates a new VictorOps notification endpoint or sends a test message to VictorOps.
| test | boolean Default: false To send a test message to the endpoint, Note: If set to |
| title | string Name of the endpoint |
| description | string Detailed description of the endpoint |
| routingKey required | string Alert routing key from VictorOps |
| messageType required | string VictorOps REST API |
| serviceApiKey required | string API key from VictorOps |
successful operation
| id | integer <int32> ID of the notification endpoint. If the API call was made where |
{- "title": "VictorOps endpoint",
- "description": "Sends notifications to VictorOps",
- "routingKey": "devops",
- "messageType": "WARNING",
- "serviceApiKey": "c687f9231619d7d7b959f33e4cc821a5"
}{- "id": 88
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Updates a VictorOps notification endpoint or sends a test message to VictorOps
| id required | integer <int32> ID of the notification endpoint |
| test | boolean Default: false To send a test message to the endpoint, Note: If set to |
| title | string Name of the endpoint |
| description | string Detailed description of the endpoint |
| routingKey required | string Alert routing key from VictorOps |
| messageType required | string VictorOps REST API |
| serviceApiKey required | string API key from VictorOps |
successful operation
| id | integer <int32> ID of the notification endpoint. If the API call was made where |
{- "title": "VictorOps endpoint",
- "description": "Sends notifications to VictorOps",
- "routingKey": "devops",
- "messageType": "WARNING",
- "serviceApiKey": "c687f9231619d7d7b959f33e4cc821a5"
}{- "id": 88
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Returns a JSON object representing a notification endpoint configured in the account.
| id required | integer <int32> ID of the notification endpoint |
successful operation
| endpointType | string Enum: "BigPanda" "Slack" "Datadog" "Custom" "PagerDuty" "VictorOps" "Opsgenie" "ServiceNow" "Microsoft Teams" The notification endpoint type that will receive alert messages |
| id | integer <int32> ID of the notification endpoint |
| title | string Name of the endpoint |
| description | string Detailed description of the endpoint |
curl -X GET "https://api.layerlog.com/v1/endpoints/88" -H "accept: application/json" -H "X-API-TOKEN: <token>"
{- "endpointType": "Slack",
- "id": 88,
- "title": "Slack",
- "description": "Endpoint for sending alerts to Slack"
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Deletes a notification endpoint
| id required | integer <int32> ID of the notification endpoint |
successful operation
curl -X DELETE "https://api.layerlog.com/v1/endpoints/269" -H "accept: application/json" -H "content-type: application/json" -H "X-API-TOKEN: <token>"
US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Returns an array of JSON objects. Each object represents a notification endpoint configured in the account.
successful operation
| endpointType | string Enum: "BigPanda" "Slack" "Datadog" "Custom" "PagerDuty" "VictorOps" "Opsgenie" "ServiceNow" "Microsoft Teams" The notification endpoint type that will receive alert messages |
| id | integer <int32> ID of the notification endpoint |
| title | string Name of the endpoint |
| description | string Detailed description of the endpoint |
curl -X GET "https://api.layerlog.com/v1/endpoints" -H "accept: application/json" -H "X-API-TOKEN: <token>"
[- {
- "endpointType": "Slack",
- "id": 88,
- "title": "Slack",
- "description": "Endpoint for sending alerts to Slack"
}
]US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Creates a new OpsGenie notification endpoint or sends a test message to OpsGenie.
| test | boolean Default: false To send a test message to the endpoint, Note: If set to |
| title | string Name of the endpoint |
| description | string Detailed description of the endpoint |
| apiKey | string API key from OpsGenie, see https://docs.opsgenie.com/docs/logz-io-integration |
successful operation
| id | integer <int32> ID of the notification endpoint. If the API call was made where |
{- "title": "OpsGenie endpoint",
- "description": "Sends notifications to OpsGenie",
- "apiKey": "c687f9231619d7d7b959f33e4cc821a5"
}{- "id": 88
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Updates an OpsGenie notification endpoint or sends a test message to OpsGenie.
| id required | integer <int32> ID of the notification endpoint |
| test | boolean Default: false To send a test message to the endpoint, Note: If set to |
| title | string Name of the endpoint |
| description | string Detailed description of the endpoint |
| apiKey | string API key from OpsGenie, see https://docs.opsgenie.com/docs/logz-io-integration |
successful operation
| id | integer <int32> ID of the notification endpoint. If the API call was made where |
{- "title": "OpsGenie endpoint",
- "description": "Sends notifications to OpsGenie",
- "apiKey": "c687f9231619d7d7b959f33e4cc821a5"
}{- "id": 88
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Creates a new ServiceNow notification endpoint or sends a test message to ServiceNow.
| test | boolean Default: false To send a test message to the endpoint, Note: If set to |
| title | string Name of the endpoint |
| description | string Detailed description of the endpoint |
| username | string ServiceNow user name |
| password | string ServiceNow password |
| url | string Provide your instance URL to connect to your existing ServiceNow instance, i.e. https://xxxxxxxxx.service-now.com/. |
successful operation
| id | integer <int32> ID of the notification endpoint. If the API call was made where |
{- "title": "New ServiceNow endpoint",
- "description": "Sends notifications to logzio-alerts channel",
- "username": "User",
- "password": "Password",
}{- "id": 88
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Updates an ServiceNow notification endpoint or sends a test message to ServiceNow.
| id required | integer <int32> ID of the notification endpoint |
| test | boolean Default: false To send a test message to the endpoint, Note: If set to |
| title | string Name of the endpoint |
| description | string Detailed description of the endpoint |
| username | string ServiceNow user name |
| password | string ServiceNow password |
| url | string Provide your instance URL to connect to your existing ServiceNow instance, i.e. https://xxxxxxxxx.service-now.com/. |
successful operation
| id | integer <int32> ID of the notification endpoint. If the API call was made where |
{- "title": "New ServiceNow endpoint",
- "description": "Sends notifications to logzio-alerts channel",
- "username": "User",
- "password": "Password",
}{- "id": 88
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Creates a new Microsoft Teams notification endpoint or sends a test message to Microsoft Teams.
| test | boolean Default: false To send a test message to the endpoint, Note: If set to |
| title | string Name of the endpoint |
| description | string Detailed description of the endpoint |
| url | string Your Microsoft Teams webhook URL, see https://docs.microsoft.com/en-us/microsoftteams/platform/webhooks-and-connectors/how-to/add-incoming-webhook |
successful operation
| id | integer <int32> ID of the notification endpoint. If the API call was made where |
{- "title": "New Microsoft Teams endpoint",
- "description": "Sends notifications to logzio-alerts channel",
}{- "id": 88
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Updates an Microsoft Teams notification endpoint or sends a test message to Microsoft Teams.
| id required | integer <int32> ID of the notification endpoint |
| test | boolean Default: false To send a test message to the endpoint, Note: If set to |
| title | string Name of the endpoint |
| description | string Detailed description of the endpoint |
| url | string Your Microsoft Teams webhook URL, see https://docs.microsoft.com/en-us/microsoftteams/platform/webhooks-and-connectors/how-to/add-incoming-webhook |
successful operation
| id | integer <int32> ID of the notification endpoint. If the API call was made where |
{- "title": "New Microsoft Teams endpoint",
- "description": "Sends notifications to logzio-alerts channel",
}{- "id": 88
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Exports the configuration of Kibana objects. All objects of a single type (search, visualization, or dashboard) are returned as an array of JSON objects. For example, if you export visualization, each visualization is returned as a JSON object.
You can import objects using the /kibana/import endpoint.
| type required | string Enum: "search" "visualization" "dashboard" The object type to export |
successful operation
| kibanaVersion | string The version of Kibana used at the time of export |
| hits | Array of objects Exported Kibana objects |
{- "type": "search"
}{- "kibanaVersion": "4.0.0-beta3",
- "hits": [
- { }
]
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Imports Kibana search, visualization, or dashboard objects. You can export objects using the /kibana/export endpoint.
| kibanaVersion | string The version of Kibana used at the time of export. This must match the current version of Kibana that you're importing to. |
| override | boolean To update an existing object with the same ID, If override is |
| hits | Array of objects Each JSON object in the array represents a discrete Kibana object. Note: As a best practice, import only objects that were exported from Kibana. |
successful operation
| created | Array of strings Name of Kibana objects that were created |
| updated | Array of strings Names of the Kibana objects that were overwritten. Objects are shown here only if |
| ignored | Array of strings Names of the Kibana objects that were not overwritten. Objects are shown here only if |
| failed | Array of strings Names of the Kibana objects that could not be created, updated, or ignored. |
{- "kibanaVersion": "4.0.0-beta3",
- "override": false,
- "hits": [
- {
- "property1": { },
- "property2": { }
}
]
}{- "created": [
- "E-commerce-App-Transactions-overtime"
], - "updated": [
- "HTTP-Response-over-time"
], - "ignored": [
- "Transaction-overtime"
], - "failed": [
- "Apache-Response-Over-Time"
]
}Use these API endpoints to create, update, retrieve, or delete log shipping tokens.
US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Creates a log shipping token for this account.
| name | string Descriptive name for this token. |
| enabled | boolean Default: true To enable this token, |
successful operation
| name | string This token's name. |
| id | integer <int32> This token's ID. |
| token | string The token itself. |
| updatedAt | string Unix timestamp of when this token was last updated. |
| updatedBy | string Email address of the last user to update this token. |
| createdAt | string Unix timestamp of when this token was created. |
| createdBy | string Email address of the user who created this token. |
| enabled | boolean If this token is enabled, |
{- "name": "staging eu",
- "enabled": true
}{- "name": "apac prod",
- "id": 786351,
- "token": "6bLXmMA6FLibc7ySSqNcCfvbhtqT0rPS",
- "updatedAt": 414720000,
- "updatedBy": "shalom.the.mighty@gmail.com",
- "createdAt": 389836800,
- "createdBy": "you.got.this@gmail.com",
- "enabled": true
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Returns details for the specified shipping token.
| id required | integer <int32> Example: 786351 This token's ID. |
successful operation
| name | string This token's name. |
| id | integer <int32> This token's ID. |
| token | string The token itself. |
| updatedAt | string Unix timestamp of when this token was last updated. |
| updatedBy | string Email address of the last user to update this token. |
| createdAt | string Unix timestamp of when this token was created. |
| createdBy | string Email address of the user who created this token. |
| enabled | boolean If this token is enabled, |
curl -L -X GET 'https://api.layerlog.com/v1/log-shipping/tokens/{id}' \ -H 'X-API-TOKEN: <token>' \ -H 'Content-Type: application/json'
{- "name": "apac prod",
- "id": 786351,
- "token": "6bLXmMA6FLibc7ySSqNcCfvbhtqT0rPS",
- "updatedAt": 414720000,
- "updatedBy": "shalom.the.mighty@gmail.com",
- "createdAt": 389836800,
- "createdBy": "you.got.this@gmail.com",
- "enabled": true
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Enables/disables a log shipping token and/or renames it.
| id required | integer <int32> Example: 786351 This token's ID. |
| name | string Descriptive name for this token. |
| enabled | boolean Default: true To enable this token, |
successful operation
| name | string This token's name. |
| id | integer <int32> This token's ID. |
| token | string The token itself. |
| updatedAt | string Unix timestamp of when this token was last updated. |
| updatedBy | string Email address of the last user to update this token. |
| createdAt | string Unix timestamp of when this token was created. |
| createdBy | string Email address of the user who created this token. |
| enabled | boolean If this token is enabled, |
{- "name": "staging eu",
- "enabled": true
}{- "name": "apac prod",
- "id": 786351,
- "token": "6bLXmMA6FLibc7ySSqNcCfvbhtqT0rPS",
- "updatedAt": 414720000,
- "updatedBy": "shalom.the.mighty@gmail.com",
- "createdAt": 389836800,
- "createdBy": "you.got.this@gmail.com",
- "enabled": true
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Deletes a log shipping token by its ID, while providing relevant information about the token's recent status and activity.
An account must have at least 1 enabled token. You won't be able to disable or delete the last token. Important: Active tokens can be deleted using this call. Confirm that a token is no longer needed before deleting it.
| id required | integer <int32> Example: 786351 This token's ID. |
successful operation
| name | string This token's name. |
| id | integer <int32> This token's ID. |
| token | string The token itself. |
| updatedAt | string Unix timestamp of when this token was last updated. |
| updatedBy | string Email address of the last user to update this token. |
| createdAt | string Unix timestamp of when this token was created. |
| createdBy | string Email address of the user who created this token. |
| enabled | boolean If this token is enabled, |
curl -L -X DELETE 'https://api.layerlog.com/v1/log-shipping/tokens/786351' \ -H 'X-API-TOKEN: <token>' \ -H 'Content-Type: application/json'
{- "name": "apac prod",
- "id": 786351,
- "token": "6bLXmMA6FLibc7ySSqNcCfvbhtqT0rPS",
- "updatedAt": 414720000,
- "updatedBy": "shalom.the.mighty@gmail.com",
- "createdAt": 389836800,
- "createdBy": "you.got.this@gmail.com",
- "enabled": true
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Returns the number of log shipping tokens currently in use and the number of available tokens that can be enabled. Disabled tokens don't count against the token limit.
successful operation
| maxAllowedTokens | integer <int32> The number of log shipping tokens this account can have. |
| numOfEnabledTokens | integer <int32> The number of log shipping tokens currently enabled for this account. |
curl -L -X GET 'https://api.layerlog.com/v1/log-shipping/tokens/limits' \ -H 'X-API-TOKEN: <token>' \ -H 'Content-Type: application/json'
{- "maxAllowedTokens": 50,
- "numOfEnabledTokens": 27
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Returns the relevant shipping tokens, filtered, sorted and paginated as per the request.
| filter | object (ShippingTokensFilterRequest) Filters your search for token attributes. |
| sort | Array of objects (ShippingTokensSortRequest) Sorts the results before returning them. |
| pagination | object (Pagination) Default pagination is a page of 25 results. Look for the |
successful operation
| total | integer <int32> |
| results | Array of objects (ShippingTokensModel) |
| pagination | object (Pagination) Default pagination is a page of 25 results. Look for the |
{- "filter": {
- "enabled": true
}, - "sort": [
- {
- "field": "NAME",
- "descending": true
}
], - "pagination": {
- "pageNumber": 2,
- "pageSize": 100
}
}{- "total": 0,
- "results": [
- {
- "name": "apac prod",
- "id": 786351,
- "token": "6bLXmMA6FLibc7ySSqNcCfvbhtqT0rPS",
- "updatedAt": 414720000,
- "updatedBy": "shalom.the.mighty@gmail.com",
- "createdAt": 389836800,
- "createdBy": "you.got.this@gmail.com",
- "enabled": true
}
], - "pagination": {
- "pageNumber": 2,
- "pageSize": 100
}
}Drop filters provide a solution for filtering out logs before they are indexed in your account to help lower costs and reduce account volume.
Drop filters evaluate logs for exact field:value matches. Any log results that match active drop filters will not be indexed. This means they will not appear in your Kibana account, will not be searchable, trigger alerts, or appear in dashboards.
Archiving is not affected by drop filters. Logs dropped by drop filters will still be archived, if archiving is configured for the account. With archiving configured, you can readily use drop filters to reduce logging bulk and restore the logs in the event that they become relevant.
US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Returns all drop filters configured for the account, both active and inactive.
successful operation
| id | string Drop filter ID in the Layerlog database. You can run the |
| active | boolean If |
| logType | string Filters for the log type. |
| fieldConditions | Array of objects (FieldCondition) Filters for an exact match of a field:value pair. |
[- {
- "id": "f54406c1-b4ad-5969-8542-f6a3e9df5c79",
- "active": true,
- "logType": "apache",
- "fieldConditions": [
- {
- "fieldName": "response",
- "value": 200
}
]
}
]US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Activates a drop filter identified by its ID.
| id required | string Example: d0d000ce-e63b-595b-a8f9-25032776cd28 Drop filter ID in the Layerlog database. You can run the |
successful operation
| id | string Drop filter ID in the Layerlog database. You can run the |
| active | boolean If |
| logType | string Filters for the log type. |
| fieldConditions | Array of objects (FieldCondition) Filters for an exact match of a field:value pair. |
{- "id": "f54406c1-b4ad-5969-8542-f6a3e9df5c79",
- "active": true,
- "logType": "apache",
- "fieldConditions": [
- {
- "fieldName": "response",
- "value": 200
}
]
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Deactivates a drop filter identified by its ID.
| id required | string Example: d0d000ce-e63b-595b-a8f9-25032776cd28 Drop filter ID in the Layerlog database. You can run the |
successful operation
| id | string Drop filter ID in the Layerlog database. You can run the |
| active | boolean If |
| logType | string Filters for the log type. |
| fieldConditions | Array of objects (FieldCondition) Filters for an exact match of a field:value pair. |
{- "id": "f54406c1-b4ad-5969-8542-f6a3e9df5c79",
- "active": true,
- "logType": "apache",
- "fieldConditions": [
- {
- "fieldName": "response",
- "value": 200
}
]
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Deletes a drop filter identified by its ID.
| id required | string Example: d0d000ce-e63b-595b-a8f9-25032776cd28 Drop filter ID in the Layerlog database. You can run the |
successful operation
| id | string Drop filter ID in the Layerlog database. You can run the |
| active | boolean If |
| logType | string Filters for the log type. |
| fieldConditions | Array of objects (FieldCondition) Filters for an exact match of a field:value pair. |
{- "id": "f54406c1-b4ad-5969-8542-f6a3e9df5c79",
- "active": true,
- "logType": "apache",
- "fieldConditions": [
- {
- "fieldName": "response",
- "value": 200
}
]
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Creates and activates a new drop filter.
| logType | string Nullable Filters for the log type. |
| fieldConditions | Array of objects (FieldCondition) |
successful operation
| id | string Drop filter ID in the Layerlog database. You can run the |
| active | boolean If |
| logType | string Filters for the log type. |
| fieldConditions | Array of objects (FieldCondition) Filters for an exact match of a field:value pair. |
{- "logType": "apache",
- "fieldConditions": [
- {
- "fieldName": "response",
- "value": 200
}
]
}{- "id": "f54406c1-b4ad-5969-8542-f6a3e9df5c79",
- "active": true,
- "logType": "apache",
- "fieldConditions": [
- {
- "fieldName": "response",
- "value": 200
}
]
}You can archive logs to an AWS S3 bucket or Azure Blob Storage. Archiving gives you the option to restore logs and query them after they have expired from your time-based account.
You can use the following endpoints to retrieve, set up, test, and update an account's archive settings.
Note: Logs are archived before they are indexed and analyzed by Layerlog. If you are using drop filters, note that dropped logs will still be archived.
US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Gets the current archive settings for a time-based log account.
Note that only one archive can be active per account.
successful operation
| id | integer <int32> Unique ID of the archive settings. |
| settings | object (ArchiveSettings) |
{- "id": 323,
- "settings": {
- "storageType": "S3",
- "enabled": true,
- "compressed": true,
- "amazonS3StorageSettings": {
- "credentialsType": "IAM",
- "path": "string",
- "s3SecretCredentials": {
- "accessKey": "string",
- "secretKey": "string"
}, - "s3IamCredentials": {
- "arn": "string"
}
}, - "azureBlobStorageSettings": {
- "tenantId": "string",
- "clientId": "string",
- "clientSecret": "string",
- "accountName": "string",
- "containerName": "string",
- "path": "string"
}
}
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Configure archiving for a time-based log account. One archive can be configured per account (or sub account). For more on this, see AWS Access with IAM and Archiving.
| storageType required | string Enum: "S3" "BLOB" Specifies the storage provider. If |
| enabled | boolean Default: true If |
| compressed | boolean Default: true If |
| amazonS3StorageSettings | object (S3StorageSettings) Applicable settings when the |
| azureBlobStorageSettings | object (BlobSettings) Applicable settings when the |
successful operation
{- "storageType": "S3",
- "enabled": true,
- "compressed": true,
- "amazonS3StorageSettings": {
- "credentialsType": "IAM",
- "path": "string",
- "s3SecretCredentials": {
- "accessKey": "string",
- "secretKey": "string"
}, - "s3IamCredentials": {
- "arn": "string"
}
}, - "azureBlobStorageSettings": {
- "tenantId": "string",
- "clientId": "string",
- "clientSecret": "string",
- "accountName": "string",
- "containerName": "string",
- "path": "string"
}
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Tests the settings and returns the status code to confirm that a connection with the provider was established.
successful operation
{ }US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Retrieves an archiving settings by the ID of the settings.
| id required | integer <int32> Example: 33 ID of the archive settings. |
successful operation
| id | integer <int32> Unique ID of the archive settings. |
| settings | object (ArchiveSettings) |
{- "id": 323,
- "settings": {
- "storageType": "S3",
- "enabled": true,
- "compressed": true,
- "amazonS3StorageSettings": {
- "credentialsType": "IAM",
- "path": "string",
- "s3SecretCredentials": {
- "accessKey": "string",
- "secretKey": "string"
}, - "s3IamCredentials": {
- "arn": "string"
}
}, - "azureBlobStorageSettings": {
- "tenantId": "string",
- "clientId": "string",
- "clientSecret": "string",
- "accountName": "string",
- "containerName": "string",
- "path": "string"
}
}
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Updates the archiving settings for a time-based log account. (The API token identifies the account.)
You can use this endpoint to:
Note that only one archive can be active per account.
| id required | integer <int32> ID of the archive settings. |
| storageType required | string Enum: "S3" "BLOB" Specifies the storage provider. If |
| enabled | boolean Default: true If |
| compressed | boolean Default: true If |
| amazonS3StorageSettings | object (S3StorageSettings) Applicable settings when the |
| azureBlobStorageSettings | object (BlobSettings) Applicable settings when the |
successful operation
{- "storageType": "S3",
- "enabled": true,
- "compressed": true,
- "amazonS3StorageSettings": {
- "credentialsType": "IAM",
- "path": "string",
- "s3SecretCredentials": {
- "accessKey": "string",
- "secretKey": "string"
}, - "s3IamCredentials": {
- "arn": "string"
}
}, - "azureBlobStorageSettings": {
- "tenantId": "string",
- "clientId": "string",
- "clientSecret": "string",
- "accountName": "string",
- "containerName": "string",
- "path": "string"
}
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Deletes the archiving settings for a time-based log account.
| id required | integer <int32> ID of the archive settings. |
successful operation
You can restore data from your active archiving account, whether an AWS S3 bucket or Azure Blob Storage. Restoring data gives you the option to query logs after they have expired from your time-based account.
You can use the following endpoints to initiate a new restore process, retrieve, set up, test, and update an account's archive settings.
Note: Logs that are dropped by drop filters are still archived and can be restored. You can temporarily disable drop filters to restore the data.
US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Returns a complete history of all restore operations initiated for the account.
successful operation
| id | integer <int32> ID of the restore operation in Layerlog |
| accountId | integer <int32> ID of the restored account in Layerlog |
| accountName | string Name of the restored account |
| restoredVolumeGb | number <float> Nullable Volume of data restored so far. If the restore operation is still in progress, this will be continuously updated. |
| status | string Enum: "IN_PROGRESS" "ACTIVE" "LIMIT_EXCEEDED" "ABORTED" "FAILED" "DELETED" "EXPIRED" Returns the current status of the restored account.
|
| startTime | integer <int64> UNIX timestamp in milliseconds specifying the earliest logs to be restored. |
| endTime | integer <int64> UNIX timestamp in milliseconds specifying the latest logs to be restored. |
| createdAt | integer <int64> Timestamp when the restore process was created and entered the queue. (Since only one account can be restored at a time, the process may not initiate immediately.) |
| startedAt | integer <int64> Nullable UNIX timestamp in milliseconds when the restore process initiated. |
| finishedAt | integer <int64> Nullable UNIX timestamp in milliseconds when the restore process completed. |
| expiresAt | integer <int64> Nullable UNIX timestamp in milliseconds specifying when the account is due to expire. Restored accounts expire automatically after a number of days, as specified in the account's terms. |
[- {
- "id": 42,
- "accountId": 564321,
- "accountName": "My account name",
- "restoredVolumeGb": 99,
- "status": "ACTIVE",
- "startTime": 1589947200,
- "endTime": 1589954400,
- "createdAt": 1591902426,
- "startedAt": 1591902428,
- "finishedAt": 1591902461,
- "expiresAt": 1592334461
}
]US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Initiates a new operation to restore data from a specific time frame. (As a result, also triggers the creation of a temporary restored account in Layerlog to hold the restored data until its automatic expiration.)
| accountName | string Name of the restored account |
| startTime | integer <int64> UNIX timestamp in milliseconds specifying the earliest logs to be restored. |
| endTime | integer <int64> UNIX timestamp in milliseconds specifying the latest logs to be restored. |
successful operation
| id | integer <int32> ID of the restore operation in Layerlog |
| accountId | integer <int32> ID of the restored account in Layerlog |
| accountName | string Name of the restored account |
| restoredVolumeGb | number <float> Nullable Volume of data restored so far. If the restore operation is still in progress, this will be continuously updated. |
| status | string Enum: "IN_PROGRESS" "ACTIVE" "LIMIT_EXCEEDED" "ABORTED" "FAILED" "DELETED" "EXPIRED" Returns the current status of the restored account.
|
| startTime | integer <int64> UNIX timestamp in milliseconds specifying the earliest logs to be restored. |
| endTime | integer <int64> UNIX timestamp in milliseconds specifying the latest logs to be restored. |
| createdAt | integer <int64> Timestamp when the restore process was created and entered the queue. (Since only one account can be restored at a time, the process may not initiate immediately.) |
| startedAt | integer <int64> Nullable UNIX timestamp in milliseconds when the restore process initiated. |
| finishedAt | integer <int64> Nullable UNIX timestamp in milliseconds when the restore process completed. |
| expiresAt | integer <int64> Nullable UNIX timestamp in milliseconds specifying when the account is due to expire. Restored accounts expire automatically after a number of days, as specified in the account's terms. |
{- "accountName": "My account name",
- "startTime": 1589947200,
- "endTime": 1589954400
}{- "id": 42,
- "accountId": 564321,
- "accountName": "My account name",
- "restoredVolumeGb": 99,
- "status": "ACTIVE",
- "startTime": 1589947200,
- "endTime": 1589954400,
- "createdAt": 1591902426,
- "startedAt": 1591902428,
- "finishedAt": 1591902461,
- "expiresAt": 1592334461
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Returns the status of a specific restore operation by its ID.
| id required | integer <int32> ID of the restore process |
successful operation
| id | integer <int32> ID of the restore operation in Layerlog |
| accountId | integer <int32> ID of the restored account in Layerlog |
| accountName | string Name of the restored account |
| restoredVolumeGb | number <float> Nullable Volume of data restored so far. If the restore operation is still in progress, this will be continuously updated. |
| status | string Enum: "IN_PROGRESS" "ACTIVE" "LIMIT_EXCEEDED" "ABORTED" "FAILED" "DELETED" "EXPIRED" Returns the current status of the restored account.
|
| startTime | integer <int64> UNIX timestamp in milliseconds specifying the earliest logs to be restored. |
| endTime | integer <int64> UNIX timestamp in milliseconds specifying the latest logs to be restored. |
| createdAt | integer <int64> Timestamp when the restore process was created and entered the queue. (Since only one account can be restored at a time, the process may not initiate immediately.) |
| startedAt | integer <int64> Nullable UNIX timestamp in milliseconds when the restore process initiated. |
| finishedAt | integer <int64> Nullable UNIX timestamp in milliseconds when the restore process completed. |
| expiresAt | integer <int64> Nullable UNIX timestamp in milliseconds specifying when the account is due to expire. Restored accounts expire automatically after a number of days, as specified in the account's terms. |
{- "id": 42,
- "accountId": 564321,
- "accountName": "My account name",
- "restoredVolumeGb": 99,
- "status": "ACTIVE",
- "startTime": 1589947200,
- "endTime": 1589954400,
- "createdAt": 1591902426,
- "startedAt": 1591902428,
- "finishedAt": 1591902461,
- "expiresAt": 1592334461
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Aborts a restore process before its completion.
| id required | integer <int32> ID of the restore process. |
successful operation
| id | integer <int32> ID of the restore operation in Layerlog |
| accountId | integer <int32> ID of the restored account in Layerlog |
| accountName | string Name of the restored account |
| restoredVolumeGb | number <float> Nullable Volume of data restored so far. If the restore operation is still in progress, this will be continuously updated. |
| status | string Enum: "IN_PROGRESS" "ACTIVE" "LIMIT_EXCEEDED" "ABORTED" "FAILED" "DELETED" "EXPIRED" Returns the current status of the restored account.
|
| startTime | integer <int64> UNIX timestamp in milliseconds specifying the earliest logs to be restored. |
| endTime | integer <int64> UNIX timestamp in milliseconds specifying the latest logs to be restored. |
| createdAt | integer <int64> Timestamp when the restore process was created and entered the queue. (Since only one account can be restored at a time, the process may not initiate immediately.) |
| startedAt | integer <int64> Nullable UNIX timestamp in milliseconds when the restore process initiated. |
| finishedAt | integer <int64> Nullable UNIX timestamp in milliseconds when the restore process completed. |
| expiresAt | integer <int64> Nullable UNIX timestamp in milliseconds specifying when the account is due to expire. Restored accounts expire automatically after a number of days, as specified in the account's terms. |
{- "id": 42,
- "accountId": 564321,
- "accountName": "My account name",
- "restoredVolumeGb": 99,
- "status": "ACTIVE",
- "startTime": 1589947200,
- "endTime": 1589954400,
- "createdAt": 1591902426,
- "startedAt": 1591902428,
- "finishedAt": 1591902461,
- "expiresAt": 1592334461
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Performs parsing of sample logs with a given Sawmill pipeline (https://github.com/logzio/sawmill/wiki). A pipeline is a collection of parsing rules to be executed in a specific order where the syntax and functionality follow the guidelines of the Sawmill library. Note: this endpoint is not used to create or update parsing, but for testing purposes only,
| logType required | string Example: TestType Type of the log being parsed. This can be an existing type (already sent to Layerlog) or a new type (to be sent to Layerlog for parsing). |
| pipeLineDefinition | object JSON object of a Sawmill pipeline. Defines what transaformations should be applied to the input. In the example shown, an extra field |
| sampleLogs | Array of objects A list of JSON objects. If the log is available only as a plain string, this string needs to be in the |
{- "pipeLineDefinition": "{\"steps\":[{\"addField\":{\"name\":\"addField\",\"config\":{\"path\":\"Movie\",\"value\":\"TheMatrix\"}}}]}",
- "sampleLogs": [
- {
- "fragment": "test",
- "UA-device": "Other",
- "check": "value",
- "message": "balima",
- "type"": "TestType"
}
]
}"{\"Movie\":\"TheMatrix\",\"fragment\":\"test\",\"@timestamp\":\"2021-08-15T12:17:45.731+0000\",\"check\":\"value\",\"message\":\"balima\",\"type\":\"TestType\",\"UA-device\":\"Other\"}"US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Receive pipeline definition for a given log type, if the definition is already stored.
| logType required | string Log type that you need to retrieve a Sawmill pipeline for. If no parsing has been applied to this log type, 404 error will be given. |
successful operation
pipeline not found for this log type
"{\"steps\":[{\"addField\":{\"name\":\"addField\",\"config\":{\"path\":\"Movie\",\"value\":\"TheMatrix\"}}}]}"US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Uploads an external mapping file in .properties format to Layerlog storage. This file can be used later by Sawmill ExternalMappingSourceProcessor. This feature is not available by default. To enable it, contact Layerlog support. 10 files can be uploaded per account. The file size is limited to 50 MB.
| file | Array of strings <binary> |
successful operation
| result | string Successfully updated external mapping |
bad request
| errorCode | string |
| message | string |
| requestId | string |
| parameters | object |
validation error
| result | string Failed to update external mapping |
{- "result": "Successfully updated external mapping"
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Get all log types for a given account including the log types with no parsing attached.
successful operation
[- "“metering-access”",
- "“lag-monitor”",
- "“business-analytics-metrics”",
- "“consul-agent”",
- "“auth0”"
]US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Returns an array of strings. Each string is an event type that appears in the account's audit trail. Each event type is shown once, no matter how many times it occurs in the account's audit trail.
successful operation
| eventTypes | Array of strings Event types in the audit trail |
curl -X POST "https://api.layerlog.com/v1/audit-trail/event-types" -H "accept: application/json" -H "content-type: application/json" -H "X-API-TOKEN: <token>"
{- "eventTypes": [
- "Added user",
- "Admin created a sub account",
- "Changed password",
- "Failed login",
- "Login",
- "Layerlog admin has enabled a sawmill configuration",
- "Suspended user",
- "User created a token",
- "User installed an ELK app"
]
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
| size | integer <int32> [ 0 .. 500 ] Default: 500 Maximum number of results to return. |
| from | integer <int32> [ 0 .. 2147483647 ] Default: 0 Of the results found, the first result to return. |
| auditEventUser | object (AuditEventUser) |
| auditEventType | string Code for the event type |
| fromDate | integer <int64> Starting timedate, as Unix epoch milliseconds. |
| toDate | integer <int64> Ending timedate, as Unix epoch milliseconds. |
| sortDescending | boolean To sort results in descending order, |
| includeFiltersData | boolean |
successful operation
| pageSize | integer <int32> [ 0 .. 500 ] The number of results requested |
| from | integer <int32> [ 0 .. 2147483647 ] Of the results found, the first result returned. |
| total | integer <int64> [ 0 .. 500 ] Total number of results that met the search criteria. |
| results | Array of objects (AuditEventData) |
| auditEventUsersList | Array of objects (AuditEventUser) |
| auditEventTypesList | Array of objects (AuditEventTypeData) |
{- "size": 150,
- "from": 15,
- "auditEventUser": {
- "id": 5374,
- "fullName": "Larry Appleton",
- "deleted": false,
- "userToken": true
}, - "auditEventType": "Added user",
- "fromDate": 389880000,
- "toDate": 414763200,
- "sortDescending": true,
- "includeFiltersData": true
}{- "pageSize": 50,
- "from": 0,
- "total": 0,
- "results": [
- {
- "auditEventUser": {
- "id": 5374,
- "fullName": "Larry Appleton",
- "deleted": false,
- "userToken": true
}, - "date": 1527168668,
- "auditEventTypeTitle": "Admin created a sub account",
- "ip": "52.203.237.249",
- "geoLocation": "New York - USA",
- "extraDataList": [
- {
- "fieldName": "Account name",
- "oldValue": "Test account",
- "newValue": "Apache access logs"
}
], - "valid": true
}
], - "auditEventUsersList": [
- {
- "id": 5374,
- "fullName": "Larry Appleton",
- "deleted": false,
- "userToken": true
}
], - "auditEventTypesList": [
- {
- "auditEventType": "Added user",
- "auditEventTypeTitle": "Added user"
}
]
}Establish a connection to ship logs to the Layerlog observability platform via an S3 bucket. Supports CloudTrail logs.
US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Returns a list of CloudTrail resources connected to your Layerlog account.
Note: This endpoint requires permissions that must be set by our Support team. Please email destek@layerlog.com for assistance.
successful operation
| id | integer <int32> Layerlog ID of the CloudTrail connector. Use this ID to perform operations on the connector using Layerlog API endpoints. |
| accessKey | string AWS S3 access key |
| bucket | string AWS S3 bucket name |
| prefix | string Prefix of the AWS S3 bucket |
| active | boolean If |
curl -X GET "https://api.layerlog.com/v1/log-shipping/cloudtrails" -H "accept: application/json" -H "content-type: application/json" -H "X-API-TOKEN: <token>"
[- {
- "id": 15,
- "accessKey": "ee07df5801500745419c6dff",
- "bucket": "cloudtrails bucket",
- "prefix": "AWSLogs/7364988021587/myprefix",
- "active": true
}
]US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Establishes a new connection to a CloudTrail resource. As a result, logs from your CloudTrail resource will ship to the connected Layerlog account via an AWS S3 bucket.
CloudTrail logs will be parsed using the Layerlog custom CloudTrail parsing pipeline.
Note: This endpoint requires permissions that must be set by our Support team. Please email destek@layerlog.com for assistance.
| accessKey | string AWS S3 access key |
| secretKey | string AWS secret access key |
| bucket | string AWS S3 bucket name |
| prefix | string Prefix of the AWS S3 bucket |
| active | boolean If |
successful operation
| id | integer <int32> >= 1 Layerlog ID of the CloudTrail connector. Use this ID to perform operations on the connector using Layerlog API endpoints. |
{- "accessKey": "ee07df5801500745419c6dff",
- "secretKey": "506d891fe2163a511b450eddc3279539f6",
- "bucket": "LogzioBucket",
- "prefix": "AWSLogs/7364988021587/myprefix",
- "active": true
}{- "id": 1
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Returns details for a CloudTrail connector, identified by its ID.
Note: This endpoint requires permissions that must be set by our Support team. Please email destek@layerlog.com for assistance.
| id required | integer <int32> Layerlog ID of the CloudTrail connector |
successful operation
| id | integer <int32> Layerlog ID of the CloudTrail connector. Use this ID to perform operations on the connector using Layerlog API endpoints. |
| accessKey | string AWS S3 access key |
| bucket | string AWS S3 bucket name |
| prefix | string Prefix of the AWS S3 bucket |
| active | boolean If |
{- "id": 15,
- "accessKey": "ee07df5801500745419c6dff",
- "bucket": "cloudtrails bucket",
- "prefix": "AWSLogs/7364988021587/myprefix",
- "active": true
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Updates details for a CloudTrail connector.
Note: This endpoint requires permissions that must be set by our Support team. Please email destek@layerlog.com for assistance.
| id required | integer <int32> Layerlog ID of the CloudTrail connector. |
| accessKey | string AWS S3 access key |
| secretKey | string AWS secret access key |
| bucket | string AWS S3 bucket name |
| prefix | string Prefix of the AWS S3 bucket |
| active | boolean If |
successful operation
| message | string |
{- "accessKey": "ee07df5801500745419c6dff",
- "secretKey": "506d891fe2163a511b450eddc3279539f6",
- "bucket": "LogzioBucket",
- "prefix": "AWSLogs/7364988021587/myprefix",
- "active": true
}{- "message": "string"
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Deletes a CloudTrail connector. As a result, CloudTrail will stop shipping data to your Layerlog account.
Note: This endpoint requires permissions that must be set by our Support team. Please email destek@layerlog.com for assistance.
| id required | integer <int32> Layerlog ID of the CloudTrail connector. |
successful operation
| message | string |
{- "message": "string"
}Establish a connection for the Layerlog fetcher to fetch logs to the Layerlog observability platform via an S3 bucket. Supports ELB, S3 Access, CloudFront, VPC Flow logs.
If you're looking to fetch CloudTrail logs, use the designated endpoints.
Authentication can be established with either S3 secret credentials or ARNs (for AWS IAM Roles). Authentication with S3 Secret Credentials is supported for backward compatibility. Authentication with ARNs (for IAM Roles) is strongly recommended.
US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Returns a list of all S3 buckets connected to your Layerlog account.
successful operation
| accessKey | string AWS S3 bucket access key |
| secretKey | string AWS S3 bucket secret key |
| arn | string Amazon Resource Name (ARN) to uniquely identify the S3 bucket. To generate a new ARN, create a new IAM Role in your AWS admin console. |
| bucket required | string AWS S3 bucket name |
| prefix | string Prefix of the AWS S3 bucket |
| active | boolean Default: true If |
| addS3ObjectKeyAsLogField | boolean Default: false If |
| region required | string Enum: "US_EAST_1" "US_EAST_2" "US_WEST_1" "US_WEST_2" "EU_WEST_1" "EU_WEST_2" "EU_WEST_3" "EU_CENTRAL_1" "AP_NORTHEAST_1" "AP_NORTHEAST_2" "AP_SOUTHEAST_1" "AP_SOUTHEAST_2" "SA_EAST_1" "AP_SOUTH_1" "CA_CENTRAL_1" Specify one supported AWS region. |
| logsType required | string Enum: "elb" "vpcflow" "S3Access" "cloudfront" Specifies the log type being sent to Layerlog. Determines the parsing pipeline used to parse and map the logs. Learn more about parsing options supported by Layerlog. |
[- {
- "accessKey": "ee07df5801500745419c6dff",
- "secretKey": "506d891fe2163a511b450eddc3279539f6",
- "arn": "string",
- "bucket": "AWS bucket",
- "prefix": "AWSLogs/7364988021587/myprefix",
- "active": true,
- "addS3ObjectKeyAsLogField": true,
- "region": "US_EAST_1",
- "logsType": "elb"
}
]US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Establishes a new connection of the Layerlog fetcher to an AWS S3 bucket. As a result, logs from your AWS resource will begin shipping to the connected Layerlog account via an AWS S3 bucket.
Logs will be parsed using the Layerlog custom parsing pipeline for the resource.
| accessKey | string AWS S3 bucket access key |
| secretKey | string AWS S3 bucket secret key |
| arn | string Amazon Resource Name (ARN) to uniquely identify the S3 bucket. To generate a new ARN, create a new IAM Role in your AWS admin console. |
| bucket required | string AWS S3 bucket name |
| prefix | string Prefix of the AWS S3 bucket |
| active | boolean Default: true If |
| addS3ObjectKeyAsLogField | boolean Default: false If |
| region required | string Enum: "US_EAST_1" "US_EAST_2" "US_WEST_1" "US_WEST_2" "EU_WEST_1" "EU_WEST_2" "EU_WEST_3" "EU_CENTRAL_1" "AP_NORTHEAST_1" "AP_NORTHEAST_2" "AP_SOUTHEAST_1" "AP_SOUTHEAST_2" "SA_EAST_1" "AP_SOUTH_1" "CA_CENTRAL_1" Specify one supported AWS region. |
| logsType required | string Enum: "elb" "vpcflow" "S3Access" "cloudfront" Specify the log type you will be sending to Layerlog. As a result, Layerlog will apply the appropriate parsing pipeline. Learn more about parsing options supported by Layerlog. |
successful operation
{- "accessKey": "ee07df5801500745419c6dff",
- "secretKey": "506d891fe2163a511b450eddc3279539f6",
- "arn": "string",
- "bucket": "AWS bucket",
- "prefix": "AWSLogs/7364988021587/myprefix",
- "active": true,
- "addS3ObjectKeyAsLogField": true,
- "region": "US_EAST_1",
- "logsType": "elb"
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Returns connection details for an S3 bucket connector by its ID.
| id required | integer <int32> Layerlog ID of the S3 Bucket connector. You can run the relevant GET endpoints to retrieve the ID. |
successful operation
| accessKey | string AWS S3 bucket access key |
| secretKey | string AWS S3 bucket secret key |
| arn | string Amazon Resource Name (ARN) to uniquely identify the S3 bucket. To generate a new ARN, create a new IAM Role in your AWS admin console. |
| bucket required | string AWS S3 bucket name |
| prefix | string Prefix of the AWS S3 bucket |
| active | boolean Default: true If |
| addS3ObjectKeyAsLogField | boolean Default: false If |
| region required | string Enum: "US_EAST_1" "US_EAST_2" "US_WEST_1" "US_WEST_2" "EU_WEST_1" "EU_WEST_2" "EU_WEST_3" "EU_CENTRAL_1" "AP_NORTHEAST_1" "AP_NORTHEAST_2" "AP_SOUTHEAST_1" "AP_SOUTHEAST_2" "SA_EAST_1" "AP_SOUTH_1" "CA_CENTRAL_1" Specify one supported AWS region. |
| logsType required | string Enum: "elb" "vpcflow" "S3Access" "cloudfront" Specifies the log type being sent to Layerlog. Determines the parsing pipeline used to parse and map the logs. Learn more about parsing options supported by Layerlog. |
{- "accessKey": "ee07df5801500745419c6dff",
- "secretKey": "506d891fe2163a511b450eddc3279539f6",
- "arn": "string",
- "bucket": "AWS bucket",
- "prefix": "AWSLogs/7364988021587/myprefix",
- "active": true,
- "addS3ObjectKeyAsLogField": true,
- "region": "US_EAST_1",
- "logsType": "elb"
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Updates connection details for an S3 bucket connector.
| id required | integer <int32> Layerlog ID of the S3 Bucket connector. You can run the relevant GET endpoints to retrieve the ID. |
| accessKey | string AWS S3 bucket access key |
| secretKey | string AWS S3 bucket secret key |
| arn | string Amazon Resource Name (ARN) to uniquely identify the S3 bucket. To generate a new ARN, create a new IAM Role in your AWS admin console. |
| bucket required | string AWS S3 bucket name |
| prefix | string Prefix of the AWS S3 bucket |
| active | boolean Default: true If |
| addS3ObjectKeyAsLogField | boolean Default: false If |
| region required | string Enum: "US_EAST_1" "US_EAST_2" "US_WEST_1" "US_WEST_2" "EU_WEST_1" "EU_WEST_2" "EU_WEST_3" "EU_CENTRAL_1" "AP_NORTHEAST_1" "AP_NORTHEAST_2" "AP_SOUTHEAST_1" "AP_SOUTHEAST_2" "SA_EAST_1" "AP_SOUTH_1" "CA_CENTRAL_1" Specify one supported AWS region. |
| logsType required | string Enum: "elb" "vpcflow" "S3Access" "cloudfront" Specify the log type you will be sending to Layerlog. As a result, Layerlog will apply the appropriate parsing pipeline. Learn more about parsing options supported by Layerlog. |
successful operation
{- "accessKey": "ee07df5801500745419c6dff",
- "secretKey": "506d891fe2163a511b450eddc3279539f6",
- "arn": "string",
- "bucket": "AWS bucket",
- "prefix": "AWSLogs/7364988021587/myprefix",
- "active": true,
- "addS3ObjectKeyAsLogField": true,
- "region": "US_EAST_1",
- "logsType": "elb"
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Deletes an S3 bucket connector. As a result, the connected AWS resource will stop shipping logs to your Layerlog account.
| id required | integer <int32> Layerlog ID of the S3 bucket connector. You can run the relevant GET endpoints to retrieve the ID. |
successful operation
US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Returns the Layerlog parameters needed to create an AWS IAM Role in the AWS admin console.
The next steps after running this endpoint:
successful operation
| logzioAWSAccountId | string Layerlog account ID. Provide this account ID when creating a new AWS IAM Role. |
| assignedExternalId | string Layerlog external ID. Provide this external ID when creating a new AWS IAM Role. |
{- "logzioAWSAccountId": null,
- "assignedExternalId": null
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Retrieves alerts as per parameters given. The parameters are used as querystring parameters. For example: /api/alerts?dashboardId=1.
| dashboardId | integer Limit response to alerts in specified dashboard(s). You can specify multiple dashboards, e.g. |
| panelId | integer Limit response to alert for a specified panel on a dashboard. |
| query | string Limit response to alerts having a name like this value. |
| state | string Return alerts with one or more of the following alert states: |
| limit | integer Limit response to X number of alerts. |
| folderId | integer Limit response to alerts of dashboards in specified folder(s). You can specify multiple folders, e.g. |
| dashboardQuery | integer Limit response to alerts having a dashboard name like this value. |
| dashboardTag | integer Limit response to alerts of dashboards with specified tags. To do an “AND” filtering with multiple tags, specify the tags parameter multiple times e.g. |
successful query
| id | integer ID. |
| dashboardId | integer Dashboard ID. |
| dashboardUId | string Unique Identifier of the dashboard. |
| dashboardSlug | string Dashboard slug. |
| panelId | integer ID of the dashboard panel. |
| name | string Dashboard name. |
| state | string Dashboard state. |
| newStateDate | string New state date. |
| evalDate | string Evaluation date. |
| evalData | Array of strings Evaluation data. |
| executionError | string Execution error message, if present. |
| url | string Dashboard url. |
curl -X GET https://api.layerlog.com/v1/grafana/api/alerts?dashboardId=1 \ -H 'Content-Type: application/json' \ -H 'X-API-TOKEN: <token>' \
{- "id": 1,
- "dashboardId": 1,
- "dashboardUId": "ABcdEFghij",
- "dashboardSlug": "sensors",
- "panelId": 1,
- "name": "fire place sensor",
- "state": "alerting",
- "newStateDate": "2018-05-14T05:55:20+02:00",
- "evalDate": "0001-01-01T00:00:00Z",
- "evalData": [
- "string"
], - "executionError": "",
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Retrieves alerts by Id.
| id required | integer ID of the alert queried. |
successful query
| id | integer ID. |
| dashboardId | integer Dashboard ID. |
| dashboardUId | string Unique Identifier of the dashboard. |
| dashboardSlug | string Dashboard slug. |
| panelId | integer ID of the dashboard panel. |
| name | string Dashboard name. |
| state | string Dashboard state. |
| newStateDate | string New state date. |
| evalDate | string Evaluation date. |
| evalData | Array of objects Evaluation data. |
| executionError | string Execution error message, if present. |
| url | string Dashboard url. |
curl -X GET https://api.layerlog.com/v1/grafana/api/alerts/1 \ -H 'Content-Type: application/json' \ -H 'X-API-TOKEN: <token>'
{- "id": 1,
- "dashboardId": 1,
- "dashboardUId": "ABcdEFghij",
- "dashboardSlug": "sensors",
- "panelId": 1,
- "name": "fire place sensor",
- "state": "alerting",
- "newStateDate": "2018-05-14T05:55:20+02:00",
- "evalDate": "0001-01-01T00:00:00Z",
- "evalData": [
- {
- "metric": "string",
- "tags": {
- "name": "string"
}, - "value": "string"
}
], - "executionError": "",
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Pauses alerts by Id.
| id required | integer ID of alert to be paused. |
| paused | boolean Can be |
successful query
| alertId | integer Alert ID. |
| state | string Alert state. |
| message | string Response message. |
{- "paused": true
}{- "alertId": 1,
- "state": "Paused",
- "message": "Alert paused"
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Pauses all alerts.
| paused | boolean Can be |
successful query
| alertId | integer Alert ID. |
| state | string State of alerts affected by request. |
| message | string Response message. |
| alertsAffected | integer List of alerts affected by request. |
{- "paused": true
}{- "alertId": 1,
- "state": "Paused",
- "message": "Alert paused",
- "alertsAffected": 1
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Searches for annotations in the Grafana database.
| from | integer Epoch datetime in milliseconds. Optional. |
| to | integer Epoch datetime in milliseconds. Optional. |
| limit | integer Optional - default is 100. Max limit for results returned. |
| alertId | integer Optional. Find annotations for a specified alert. |
| dashboardId | integer Optional. Find annotations that are scoped to a specific dashboard |
| panelId | integer Optional. Find annotations that are scoped to a specific panel |
| userId | integer Optional. Find annotations created by a specific user |
| type | string Optional. Return alerts or user created annotations |
| tags | string Optional. Use this to filter global annotations. Global annotations are annotations from an annotation data source that are not connected specifically to a dashboard or panel. To do an “AND” filtering with multiple tags, specify the tags parameter multiple times e.g. tags=tag1&tags=tag2. |
successful query
| id | integer ID. |
| dashboardId | integer Dashboard ID. |
| dashboardUId | string Dashboard UID. |
| dashboardSlug | string Dashboard slug. |
| panelId | integer Panel ID. |
| name | string Dashboard name. |
| state | string Dashboard state. |
| newStateDate | string Date of the new state. |
| evalDate | string Evaluation date. |
| evalData | Array of strings Evaluation data. |
| executionError | string Execution error, if present |
| url | string Dashboard url. |
curl -X GET https://api.layerlog.com/v1/grafana/api/annotations?from=1506676478816&to=1507281278816&tags=tag1&tags=tag2&limit=100 \ -H 'Content-Type: application/json' \ -H 'X-API-TOKEN: <token>' \
{- "id": 1,
- "dashboardId": 1,
- "dashboardUId": "ABcdEFghij",
- "dashboardSlug": "sensors",
- "panelId": 1,
- "name": "fire place sensor",
- "state": "alerting",
- "newStateDate": "2018-05-14T05:55:20+02:00",
- "evalDate": "0001-01-01T00:00:00Z",
- "evalData": [
- "string"
], - "executionError": "",
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Creates an annotation in the Grafana database.
| dashboardId | integer Id of the dashboard. The dashboardId and panelId fields are optional. If they are not specified then a global annotation is created and can be queried in any dashboard that adds the Grafana annotations data source. |
| panelId | integer Id of the panel. The dashboardId and panelId fields are optional. If they are not specified then a global annotation is created and can be queried in any dashboard that adds the Grafana annotations data source. |
| time | integer Epoch time in milliseconds. |
| timeEnd | integer Epoch time in milliseconds. |
| tags | Array of strings Annotation tags. |
| text | string Annotation Description. |
successful query
| id | integer ID. |
| message | string Confirmation message. |
{- "dashboardId": 0,
- "panelId": 0,
- "time": 0,
- "timeEnd": 0,
- "tags": [
- "tag1"
], - "text": "string"
}{- "id": 1,
- "message": "Annotation added"
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Creates an annotation in the Grafana database by using Graphite-compatible event format.
| what | string Graphite annotation. |
| when | integer Epoch datetime of the annotation in milliseconds. Optional. If |
| tags | Array of strings Annotation tags. Can also be in prior to Graphite 0.10.0 format (string with multiple tags being separated by a space). |
| data | string Annotation Description. |
successful query
| id | integer ID. |
| message | string Confirmation message. |
{- "what": "Event - deploy",
- "when": 0,
- "tags": [
- "deploy",
- "production"
], - "data": "deploy of master branch happened at Wed Jul 6 22:34:41 UTC 2016"
}{- "id": 1,
- "message": "Graphite annotation added"
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Updates an annotation in the Grafana database.
| id required | integer Id of the annotation. |
| time | integer Epoch time in milliseconds. |
| timeEnd | integer Epoch time in milliseconds. |
| text | string Annotation Description. |
| tags | attay Tags. |
successful query
| message | string Confirmation message. |
{- "time": 0,
- "timeEnd": "Event - deploy",
- "text": "string",
- "tags": [
- "tag3",
- "tag4",
- "tag5"
]
}{- "message": "Annotation updated"
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Updates one or more properties of an annotation that matches the specified id. This operation currently supports updating of the text, tags, time and timeEnd properties.
| id required | integer Id of the annotation. |
| text | string Annotation Description. |
| tags | attay Tags. |
successful query
| message | string Confirmation message. |
{- "text": "string",
- "tags": null
}{- "message": "Annotation patched"
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Deletes the annotation that matches the specified id.
| id required | integer Id of the annotation. |
successful query
| message | string Confirmation message. |
curl -X DELETE https://api.layerlog.com/v1/grafana/api/annotations/1141 \ -H 'Content-Type: application/json' \ -H 'X-API-TOKEN: <token>' \
{- "message": "Annotation deleted"
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Searches for event tags in annotations in the Grafana database.
| tag | string Tag. Optional. |
| limit | integer Optional. A number, where the default is 100. Max limit for results returned. |
successful query
| result | object Query result. |
curl -X GET https://api.layerlog.com/v1/grafana/api/annotations/tags?tag=out \ -H 'Content-Type: application/json' \ -H 'X-API-TOKEN: <token>' \
{- "result": {
- "tags": {
- "tag": "outage",
- "count": 1
}
}
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Creates or updates a new dashboard or updates an existing dashboard.
| dashboard | object The complete dashboard model, to create a new dashboard. |
| folderId | integer The id of the folder to save the dashboard in. |
| folderUid | string The UID of the folder to save the dashboard in. Overrides the folderId. |
| message | string Set a commit message for the version history. |
| overwrite | boolean Set to true if you want to overwrite existing dashboard with newer version, same dashboard title in folder or same dashboard uid. |
successful query
| id | integer ID. |
| uid | string UID. |
| url | string URL. |
| status | string Request status. |
| version | integer Dashboard version. |
| slug | string Dashboard slug. |
failed
| message | string Error message. |
| status | string Error status. |
{- "dashboard": {
- "id": 1,
- "uid": 1,
- "panels": [
- {
- "alert": {
- "alertRuleTags": { },
- "conditions": [
- {
- "evaluator": {
- "params": [
- 0
], - "type": "string"
}, - "operator": {
- "type": "string"
}, - "query": {
- "params": [
- "string"
]
}, - "reducer": {
- "params": [
- null
], - "type": "string"
}, - "type": "string"
}
], - "executionErrorState": "string",
- "for": "string",
- "frequency": "string",
- "handler": 0,
- "name": "string",
- "noDataState": "string",
- "notifications": [
- null
]
}, - "aliasColors": { },
- "bars": true,
- "dashLength": 0,
- "dashes": true,
- "datasource": "string",
- "fieldConfig": {
- "defaults": {
- "custom": { }
}, - "overrides": [
- null
]
}, - "fill": 0,
- "fillGradient": 0,
- "gridPos": {
- "h": 0,
- "w": 0,
- "x": 0,
- "y": 0
}, - "hiddenSeries": true,
- "id": 0,
- "legend": {
- "avg": true,
- "current": true,
- "max": true,
- "min": true,
- "show": true,
- "total": true,
- "values": true
}, - "lines": true,
- "linewidth": 0,
- "nullPointMode": "string",
- "options": {
- "dataLinks": [
- null
]
}, - "percentage": true,
- "pointradius": 0,
- "points": true,
- "renderer": "string",
- "seriesOverrides": [
- null
], - "spaceLength": 0,
- "stack": true,
- "steppedLine": true,
- "targets": [
- {
- "refId": "string",
- "scenarioId": "string"
}
], - "thresholds": [
- {
- "colorMode": "string",
- "fill": true,
- "line": true,
- "op": "string",
- "value": 0
}
], - "timeFrom": "string",
- "timeRegions": [
- null
], - "timeShift": "string",
- "title": "string",
- "tooltip": {
- "shared": true,
- "sort": 0,
- "value_type": "string"
}, - "type": "string",
- "xaxis": {
- "buckets": "string",
- "mode": "string",
- "name": "string",
- "show": true,
- "values": [
- null
]
}, - "yaxes": [
- {
- "format": "string",
- "label": "string",
- "logBase": 0,
- "max": "string",
- "min": "string",
- "show": true
}
], - "yaxis": {
- "align": true,
- "alignLevel": "string"
}
}
], - "title": "Production Overview",
- "tags": [
- "tag3"
], - "timezone": "browser",
- "schemaVersion": 1,
- "version": 0,
- "refresh": "25s"
}, - "folderId": 1,
- "folderUid": "l3KqBxCMz",
- "message": "Made changes to xyz",
- "overwrite": true
}{- "id": 1,
- "uid": "cIBgcSjkk",
- "url": "/d/cIBgcSjkk/production-overview",
- "status": "success",
- "version": 1,
- "slug": "production-overview"
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Will return the dashboard given the dashboard unique identifier (uid). Information about the unique identifier of a folder containing the requested dashboard might be found in the metadata.
| uid required | string Dashboard UID. |
success
| dashboard | object The complete dashboard model, |
| meta | object Information about the unique identifier of a folder containing the requested dashboard. |
curl -X GET https://api.layerlog.com/v1/grafana/api/dashboards/uid/cIBgcSjkk \ -H 'Content-Type: application/json' \ -H 'X-API-TOKEN: <token>' \ -d '{ "dashboard": { "id": 1, "uid": "cIBgcSjkk", "title": "Production Overview", "tags": [ "templated" ], "timezone": "browser", "schemaVersion": 16, "version": 0 }, "meta": { "isStarred": false, "url": "/d/cIBgcSjkk/production-overview", "folderId": 2, "folderUid": "l3KqBxCMz", "slug": "production-overview" //deprecated in Grafana v5.0 } }'
{- "dashboard": {
- "id": 1,
- "uid": 1,
- "title": "Production Overview",
- "tags": [
- "tag3"
], - "timezone": "browser",
- "schemaVersion": 1,
- "version": 0
}, - "meta": {
- "isStarred": true,
- "url": "/d/cIBgcSjkk/production-overview",
- "folderId": 2,
- "folderUid": "l3KqBxCMz",
- "slug": "production-overview"
}
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Will delete the dashboard given the specified unique identifier (uid).
| uid required | string Dashboard UID. |
success
| title | object Dashboard title. |
| message | object Response message. |
| id | integer Dashboard id. |
curl -X DELETE https://api.layerlog.com/v1/grafana/api/dashboards/uid/cIBgcSjkk \ -H 'Content-Type: application/json' \ -H 'X-API-TOKEN: <token>' \ -d '{ "title": "Production Overview", "message": "Dashboard Production Overview deleted", "id": 2 }'
{- "title": "Production Overview",
- "message": { },
- "id": 2
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Will return the home dashboard.
success
| dashboard | object The complete dashboard model, |
| meta | object The complete dashboard model, |
curl -X GET https://api.layerlog.com/v1/grafana/api/dashboards/home \ -H 'Content-Type: application/json' \ -H 'X-API-TOKEN: <token>' \
{- "dashboard": {
- "editable": false,
- "hideControls": false,
- "nav": {
- "enable": false,
- "type": "timepicker"
}, - "style": "dark",
- "tags": {
- "tag": "outage"
}, - "templating": {
- "list": [
- "string"
]
}, - "time": { },
- "timezone": "browser",
- "title": "Home",
- "version": 2
}, - "meta": {
- "isHome": true,
- "canSave": false,
- "canEdit": false,
- "canStar": false,
- "url": "url",
- "expires": "2025-12-07T12:21:52.948Z",
- "created": "2025-12-07T12:21:52.948Z"
}
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Will return all tags for all dashboard.
success
| term | string Tag term. |
| count | string Tag count. |
curl -X GET https://api.layerlog.com/v1/grafana/api/dashboards/tags \ -H 'Content-Type: application/json' \ -H 'X-API-TOKEN: <token>' \
[- {
- "term": "tag1",
- "count": "count1"
}
]US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Gets all existing dashboard versions for the dashboard with the given dashboardId.
| dashboardId required | integer Dashboard ID. |
| limit | integer Maximum number of results to return. |
| start | integer Version to start from when returning queries. |
success
| id | integer ID. |
| dashboardId | integer Dashboard ID. |
| parentVersion | integer Dashboard parent version. |
| restoredFrom | integer Restored from. |
| version | integer Version. |
| created | integer Date created. |
| createdBy | string Created by. |
| message | string Message. |
curl -X GET https://api.layerlog.com/v1/grafana/api/dashboards/id/1/versions?limit=2?start=0 \ -H 'Content-Type: application/json' \ -H 'X-API-TOKEN: <token>' \
{- "id": 1,
- "dashboardId": 2,
- "parentVersion": 0,
- "restoredFrom": 0,
- "version": 2,
- "created": "2017-06-08T17:24:33-04:00\"",
- "createdBy": "admin",
- "message": "Initial save"
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Get the dashboard version with the given id, for the dashboard with the given id.
| dashboardId required | integer Dashboard ID. |
| id required | integer Version ID. |
success
| id | integer ID. |
| dashboardId | integer Dashboard ID. |
| parentVersion | integer Parent version. |
| restoredFrom | integer Restored from. |
| version | integer Version. |
| created | string Creation date. |
| message | string Message. |
| data | object Data. |
| createdBy | string Created by. |
curl -X GET https://api.layerlog.com/v1/grafana/api/dashboards/id/1/versions/1 \ -H 'Content-Type: application/json' \ -H 'X-API-TOKEN: <token>' \
{- "id": 1,
- "dashboardId": 1,
- "parentVersion": 0,
- "restoredFrom": 0,
- "version": 1,
- "created": "2025-12-07T12:21:52.948Z",
- "message": "Initial save",
- "data": {
- "annotations": {
- "list": [
- null
]
}, - "editable": true,
- "gnetId": "string",
- "graphTooltip": 0,
- "hideControls": true,
- "id": 1,
- "links": [
- null
], - "rows": [
- {
- "collapse": true,
- "height": "250px",
- "panels": [
- null
], - "repeat": "string",
- "repeatIteration": "string",
- "repeatRowId": "string",
- "showTitle": true,
- "title": "Dashboard Row",
- "titleSize": "h6"
}
], - "schemaVersion": "14",
- "style": "dark",
- "tags": [
- null
], - "templating": {
- "list": [
- null
]
}, - "time": {
- "from": "now-6h",
- "to": "now"
}, - "timepicker": {
- "refresh_intervals": [
- "5s"
], - "time_options": [
- "5m"
]
}, - "timezone": "browser",
- "title": "test",
- "version": 1
}, - "createdBy": "admin"
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Restores a dashboard to a given dashboard version.
| dashboardId required | integer Dashboard ID. |
| version | integer Dashboard version. |
successful query
| slug | string Dashboard slug. |
| status | string Dashboard status. |
| version | integer Dashboard version. |
{- "version": 0
}{- "slug": "production-overview",
- "status": "success",
- "version": 1
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Compares two dashboard versions by calculating the JSON diff of them.
| base | object Object representing the base dashboard version. |
| new | object Object representing the new dashboard version |
| diffType | string the type of diff to return. Can be “json” or “basic”. |
successful query
{- "base": {
- "dashboardId": 1,
- "version": 1
}, - "new": {
- "dashboardId": 1,
- "version": 1
}, - "diffType": "string"
}{ }US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Search folders and dashboards.
| query | string Search query. |
| tag | string List of tags to search for. |
| type | string Type to search for, dash-folder or dash-db. |
| dashboardIds | integer List of dashboard id’s to search for. |
| folderIds | integer List of folder id’s to search in for dashboards. |
| starred | boolean Flag indicating if only starred Dashboards should be returned. |
| limit | integer Limit the number of returned results (max 5000). |
| page | integer Use this parameter to access hits beyond limit. Numbering starts at 1. limit param acts as page size. Only available in Grafana v6.2+. |
successful query
| id | integer ID. |
| uid | string UID. |
| title | string Title. |
| url | string URL. |
| type | string Type. |
| tags | Array of any Tags. |
| isStarred | boolean Whether the dashboard is starred. |
| uri | string URI. |
curl -X GET https://api.layerlog.com/v1/grafana/api/search?query=Production%20Overview&starred=true&tag=prod \ -H 'Content-Type: application/json' \ -H 'X-API-TOKEN: <token>' \
{- "id": 163,
- "uid": "000000163",
- "title": "Folder",
- "url": "/dashboards/f/000000163/folder",
- "type": "dash-folder",
- "tags": [
- null
], - "isStarred": true,
- "uri": "db/folder"
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Creates a snapshot.
| dashboard | object The complete dashboard model. |
| name | string Snapshot name. |
| expires | integer When the snapshot should expire in seconds. 3600 is 1 hour, 86400 is 1 day. Default is never to expire. |
| external | boolean Save the snapshot on an external server rather than locally. Default is false. |
| key | string Define the unique key. Required if external is true. |
| deleteKey | string Unique key used to delete the snapshot. It is different from the key so that only the creator can delete the snapshot. Required if external is true. |
successful query
| deleteKey | string Unique key used to delete the snapshot. It is different from the |
| deleteUrl | string Delete url. |
| key | string Unique key. |
| url | string URL. |
| id | integer ID. |
{- "dashboard": { },
- "name": "string",
- "expires": 0,
- "external": true,
- "key": "string",
- "deleteKey": "string"
}{- "deleteKey": "XXXXXXX",
- "deleteUrl": "myurl/api/snapshots-delete/XXXXXXX",
- "key": "YYYYYYY",
- "url": "myurl/dashboard/snapshot/YYYYYYY",
- "id": 1
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Get list of Snapshots.
| query | string Search query. |
| limit | integer Limit the number of returned results. |
successful query
| id | integer ID. |
| name | string Snapshot name. |
| key | string Snapshot key. |
| orgId | integer Snapshot orgId. |
| userId | integer Snapshot user ID. |
| external | boolean Whether the snapshot is external. |
| externalUrl | string Snapshot external url. |
| expires | string Snapshot expiry date. |
| created | string Snapshot creation date. |
| updated | string Snapshot update date. |
curl -X GET https://api.layerlog.com/v1/grafana/api/dashboards/snapshots \ -H 'Content-Type: application/json' \ -H 'X-API-TOKEN: <token>' \
{- "id": 8,
- "name": "Home",
- "key": "YYYYYYY",
- "orgId": 1,
- "userId": 1,
- "external": true,
- "externalUrl": "string",
- "expires": "2025-12-07T12:21:52.949Z",
- "created": "2025-12-07T12:21:52.949Z",
- "updated": "2025-12-07T12:21:52.949Z"
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Gets Snapshot by Key.
| key required | string |
successful query
| meta | object |
| dashboard | object Dashboard. |
curl -X GET https://api.layerlog.com/v1/grafana/api/snapshots/YYYYYYY \ -H 'Content-Type: application/json' \ -H 'X-API-TOKEN: <token>' \
{- "meta": {
- "isSnapshot": true,
- "type": "snapshot",
- "canSave": true,
- "canEdit": true,
- "canStar": true,
- "slug": null,
- "expires": "2025-12-07T12:21:52.949Z",
- "created": "2025-12-07T12:21:52.949Z"
}, - "dashboard": {
- "editable": true,
- "hideControls": true,
- "nav": [
- {
- "enable": true,
- "type": "timepicker"
}
], - "rows": [
- { }
], - "style": "dark",
- "tags": [
- null
], - "templating": {
- "list": [
- null
]
}, - "time": { },
- "timezone": "browser",
- "title": "Home",
- "version": 5
}
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Deletes snapshot by Key.
| key required | string |
successful query
| message | string Message. |
| id | integer ID. |
curl -X DELETE https://api.layerlog.com/v1/grafana/api/snapshots/YYYYYYY \ -H 'Content-Type: application/json' \ -H 'X-API-TOKEN: <token>' \
{- "message": "Snapshot deleted. It might take an hour before it's cleared from any CDN caches.",
- "id": 1
}US East (Northern Virginia)
Asia Pacific (Sydney)
Canada (Central)
Europe (Frankfurt)
West Europe (Netherlands)
Europe (London)
West US 2 (Washington)
Delete snapshot by deleteKey.
| deleteKey required | string |
successful query
| message | string Message. |
| id | integer ID. |
curl -X DELETE https://api.layerlog.com/v1/grafana/api/snapshots-delete/XXXXXX \ -H 'Content-Type: application/json' \ -H 'X-API-TOKEN: <token>' \
{- "message": "Snapshot deleted. It might take an hour before it's cleared from any CDN caches.",
- "id": 1
}