Sumo Logic
If you are new to sumo, it's a kind of log aggregating tool that can be used further for data representational, monitoring, analytics and many more, Splunk is an industrial well know application within the same industry and market as a competitor.
Sumo Logic API
Apart from a very interactive GUI, Sumo Logic exposes APIs to access resources and log data from third-party scripts and applications, and also to configure Sources via JSON.
How to use.
Authentication : Sumo Logic provides two methods of authentication
- Access Id and Access Key
- Base64 encoded accessid and access key
In this post, we will cover point 1, that is authentication using accessid and accesskey.
First, let's generate a pair of accessid and accesskey.
Login to your sumo logic account --> Expand the left navbar --> scroll down to bottom click to expand on your account name --> Preferences --> Add Access Key --> Generate and Save.
Now you are ready with the AccessID and Accesskey, we will move to test authentication using credentials.
Before we proceed, you must know API endpoints of your as this will be used further.
So we have our access credentials ready and we know our api endpoint, below one liner can be used to authenticate Sumo Logic API endpoints.
Do replace your Accessid, Accesskey and API endpoints by yours one, don't worry if you get a 404 response it's expected.
curl -u "<accessId>:<accessKey>" -X GET <API Endpoint>
Expected response : <title>Error 404 Not Found</title>
Sumo Logic Search JOB API
The search job API provides third part scripts and applications access to your log data after using mandatory above authentication, it can be used further as per requirement.
Mandatory Requirements
- If you are familiar with searches in sumo, you must be aware that some complex and large time drift queries takes more time then usual, keeping in mind this scenario once a search job request is initiated, it must be keep alive/running by polling for status of the provided job id upon submitting search job request. If not done so, a search job is cancelled after five minutes of inactivity.
- You must enable cookies for subsequent request to Search Job API.
- Access ID and Access Secret.
- Valid API endpoint.
- Valid Search String in JSON format.
Creating a Search Job using API.
Create a empty JSON document/file and paste the below content and replace it by your own data.
{ "query": "| _collector=my_prod_collect_01| count", "from": "2019-07-28T12:00:00", "to": "2019-07-28T13:10:00", "timeZone": "GMT" }
Query ( type : String ) -- Replace it by your own SumoLogic search query.
From ( type: String ) -- Replace if by yours with format like YYYY-MM-DDTHH:mm:ss
To ( type: String ) -- Replace if by yours with format like YYYY-MM-DDTHH:mm:ss
TimeZone ( type: String ) -- Replace if by yours with timezone (ie : GMT,PST,DST) etc
Create One liner to submit search to grab search id.
curl -b cookies.txt -c cookies.txt -H 'Content-type: application/json' -H 'Accept: application/json' -X POST -T mytest.json --user "ACESSID:ACCESSKEY" https://api.us2.sumologic.com/api/v1/search/jobs
Expected response
{ "id": "1EE8BFBCD715", "link": { "rel": "self", "href":"https://api.us2.sumologic.com/api/v1/search/jobs/1EE8BFBCD715" } }
Where "1EE8BFBCD715""is your search job id, that could be used to find search job result using below one liner.
curl -b cookies.txt -c cookies.txt -H 'Accept: application/json' --user ACESSID:ACCESSKEY https://api.us2.sumologic.com/api/v1/search/jobs/1EE8BFBCD715
Expected Response.
{
"state": "DONE GATHERING RESULTS",
"histogramBuckets": [
{
"startTimestamp": 1567663200000,
"length": 3600000,
"count": 7380
},