Run query via Sumologic API

SumoLogic query can also be run via API. Here is a bash example that I wrote to get the nginx access logs.

By default it searches the logs in the past 10 minutes, but you can overwrite it by adding a parameter.


Here is the script. It is also can be found in my github.


# Sumo credential format username:password

# Default 10 minutes

# Wait interval in seconds

# Setup time range
FROM_TIME=`date  "+%Y-%m-%dT%R:%S" -d "$TIME min ago"`
TO_TIME=`date  "+%Y-%m-%dT%R:%S"`

# Check proxy
if [[ `export | grep http_proxy`  ]]; then
  echo "Found proxy"
  PROXY="-x ${http_proxy}:80"

# Current time
/bin/date +%D-%R

# Generate search file
cat > search.json << EOF
  "query": "_sourceCategory=my-nginx-access | parse "* - - [*] \"*\" * *" as client, timestamp, request, response, size",
  "from": "${FROM_TIME}",
  "to": "${TO_TIME}",
  "timeZone": "Australia/Sydney"

echo "Searching log in the past $TIME minutes... "
job_id=`curl $PROXY -s -b cookies.txt -c cookies.txt -H 'Content-type: application/json' -H 'Accept: application/json' -X POST -T search.json --user $SUMOACCESS "" | jq -r .id`

while [ "${job_status}" != "DONE GATHERING RESULTS"  ]
  sleep $WAITFOR
  echo search job status is ${job_status}
  job_status=`curl $PROXY -s -b cookies.txt -c cookies.txt -H 'Accept: application/json' --user $SUMOACCESS${job_id}| jq -r .state`

echo "Generating search result..."
curl $PROXY -s -b cookies.txt -c cookies.txt -H 'Accept: application/json' --user $SUMOACCESS "${job_id}/messages?offset=0&limit=1000" -o results


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s