Log Monitoring API - POST ingest logs
Pushes custom logs to Dynatrace.
This endpoint requires an ActiveGate with the Log analytics collector module enabled. This module is enabled by default on all of your ActiveGates.
The request consumes one of the following payload types:
text/plain—limited to a single log event.application/json—supports multiple log events in a single payload.
Be sure to set the correct Content-Type header and encode payload with UTF-8: application/json; charset=utf-8.
POST |
|
Authentication
To execute this request, you need the Ingest logs (logs.ingest) permission assigned to your API token. To learn how to obtain and use it, see Tokens and authentication.
Parameters
| Parameter | Type | Description | In | Required |
|---|---|---|---|---|
| body | Log | The body of the request. Contains one or more log events to be ingested. The endpoint accepts one of the following payload types, defined by the Accept header:
| body | optional |
Request body objects
The LogMessageJson object
The log message in JSON format. Use one object representing a single event or an array of objects representing multiple events.
The object might contain the following types of case-insensitive keys (the possible key values are listed below):
- Timestamp:
- The earliest timestamp for a log event is the current time minus 24 hours. If the log event contains a timestamp earlier than the current time minus 24 hours, the event is dropped, and the generic log ingestion API returns a
400response code. - The latest timestamp for a log event is the current time plus 12 hours. If the log event contains a timestamp later than the current time plus 12 hours, the event is dropped, and the generic log ingestion API returns a
400response code. - The following formats are supported: UTC milliseconds, RFC3339, and RFC3164. For the missing timestamp, the current timestamp is used. For the unsupported timestamp format, the current timestamp is used, and the value of the unsupported timestamp format is stored in the not indexed
unparsed_timestampattribute.
- The earliest timestamp for a log event is the current time minus 24 hours. If the log event contains a timestamp earlier than the current time minus 24 hours, the event is dropped, and the generic log ingestion API returns a
- Severity. If not set,
NONEis used. - Content. If the content key is not set, the whole JSON is parsed as the content.
- Semantic attribute. Only values of the
Stringtype are supported. Semantic attributes are indexed and can be used in queries. These are also displayed in aggregations (facets). If an unsupported key occurs, it is not indexed and can't be used in indexing and aggregations.
The object value can be a single constant or, in case of semantic attribute, an array of constants. The length of the value is limited. Any content exceeding the limit is trimmed. Default limits:
- Attributes: up to 50 attributes.
- Content: 8,192 bytes.
- Semantic attribute: 250 bytes per value, up to 32 attribute values
Supported timestamp keys:
- @timestamp
- _timestamp
- date
- eventtime
- published_date
- syslog.timestamp
- timestamp
Supported content keys:
- body
- content
- message
- payload
Supported severity keys:
- level
- loglevel
- severity
- status
- syslog.severity
Supported semantic attribute keys:
- audit.action
- audit.identity
- audit.result
- aws.account.id
- aws.arn
- aws.log_group
- aws.log_stream
- aws.region
- aws.resource.id
- aws.resource.type
- aws.service
- azure.location
- azure.resource.group
- azure.resource.id
- azure.resource.name
- azure.resource.type
- azure.subscription
- cloud.account.id
- cloud.availability_zone
- cloud.provider
- cloud.region
- container.image.name
- container.image.tag
- container.name
- db.cassandra.keyspace
- db.connection_string
- db.hbase.namespace
- db.jdbc.driver_classname
- db.mongodb.collection
- db.mssql.instance_name
- db.name
- db.operation
- db.redis.database_index
- db.statement
- db.system
- db.user
- device.address
- dt.active_gate.group.name
- dt.active_gate.id
- dt.code.filepath
- dt.code.func
- dt.code.lineno
- dt.code.ns
- dt.ctg.calltype
- dt.ctg.extendmode
- dt.ctg.gatewayurl
- dt.ctg.program
- dt.ctg.rc
- dt.ctg.requesttype
- dt.ctg.serverid
- dt.ctg.termid
- dt.ctg.transid
- dt.ctg.userid
- dt.entity.cloud_application
- dt.entity.cloud_application_instance
- dt.entity.cloud_application_namespace
- dt.entity.container_group
- dt.entity.container_group_instance
- dt.entity.custom_device
- dt.entity.host
- dt.entity.kubernetes_cluster
- dt.entity.kubernetes_node
- dt.entity.process_group
- dt.entity.process_group_instance
- dt.event.group_label
- dt.event.key
- dt.events.root_cause_relevant
- dt.exception.messages
- dt.exception.serialized_stacktraces
- dt.exception.types
- dt.extension.config.id
- dt.extension.ds
- dt.extension.name
- dt.extension.status
- dt.host.ip
- dt.host.smfid
- dt.host.snaid
- dt.host_group.id
- dt.http.application_id
- dt.http.context_root
- dt.kubernetes.cluster.id
- dt.kubernetes.cluster.name
- dt.kubernetes.config.id
- dt.kubernetes.event.involved_object.kind
- dt.kubernetes.event.involved_object.name
- dt.kubernetes.event.reason
- dt.kubernetes.node.name
- dt.kubernetes.node.system_uuid
- dt.kubernetes.topmost_controller.kind
- dt.kubernetes.workload.kind
- dt.kubernetes.workload.name
- dt.network_zone.id
- dt.os.description
- dt.os.type
- dt.process.commandline
- dt.process.executable
- dt.process.name
- dt.source_entity
- dt.source_entity_name
- dt.source_entity_type
- faas.id
- faas.instance
- faas.name
- faas.version
- gcp.instance.id
- gcp.instance.name
- gcp.project.id
- gcp.region
- gcp.resource.type
- host.hostname
- host.id
- host.image.id
- host.image.name
- host.image.version
- host.name
- host.type
- http.client_ip
- http.flavor
- http.host
- http.method
- http.route
- http.scheme
- http.server_name
- http.status_code
- http.status_text
- http.target
- http.url
- k8s.cluster.name
- k8s.container.name
- k8s.cronjob.name
- k8s.cronjob.uid
- k8s.daemonset.name
- k8s.daemonset.uid
- k8s.deployment.name
- k8s.deployment.uid
- k8s.job.name
- k8s.job.uid
- k8s.namespace.name
- k8s.pod.name
- k8s.pod.uid
- k8s.replicaset.name
- k8s.replicaset.uid
- k8s.statefulset.name
- k8s.statefulset.uid
- log.source
- net.host.ip
- net.host.name
- net.host.port
- net.peer.ip
- net.peer.name
- net.peer.port
- net.transport
- process.technology
- service.instance.id
- service.name
- service.namespace
- service.version
- snmp.trap_oid
- span_id
- trace_id
- winlog.eventid
- winlog.level
- winlog.opcode
- winlog.provider
- winlog.task
The object doesn't provide any parameters.
Request body JSON model
This is a model of the request body, showing the possible elements. It has to be adjusted for usage in an actual request.
[
{
"content": "Exception: Custom error log sent via Generic Log Ingest",
"log.source": "/var/log/syslog",
"timestamp": "2022-01-17T22:12:31.0000",
"severity": "error",
"custom.attribute": "attribute value"
},
{
"content": "Exception: Custom error log sent via Generic Log Ingest",
"log.source": "/var/log/syslog",
"timestamp": "2022-01-17T22:12:35.0000"
},
{
"content": "Exception: Custom error log sent via Generic Log Ingest",
"log.source": "/var/log/syslog"
},
{
"content": "Exception: Custom error log sent via Generic Log Ingest"
}
]Response
Response codes
| Code | Type | Description |
|---|---|---|
| 200 | Success | Only a part of input events were ingested due to event size limits or JSON parsing issues. |
| 204 | Success. Response doesn't have a body. | |
| 400 | ErrorEnvelope | Failed. The input is invalid. |
| 402 | ErrorEnvelope | Failed. You can't add more logs to the storage, because you are out of Davis Data Units (DDU). Purchase additional DDUs. |
| 404 | ErrorEnvelope | Failed. The requested resource doesn't exist. This may happen when no ActiveGate is available with the Log Analytics Collector module enabled. |
| 413 | ErrorEnvelope | Failed. Request payload size is too big. This may happen when the payload byte size exceeds the limit or when the ingested payload is a JSON array with the size exceeding the limit. |
| 429 | ErrorEnvelope | Failed. Too Many Requests. This happens when log ingest is disabled. |
| 501 | ErrorEnvelope | Failed. The server either does not recognize the request method, or it lacks the ability to fulfil the request. May happen when indexed log storage is not enabled. |
Response body objects
The SuccessEnvelope object
| Element | Type | Description |
|---|---|---|
| details | Success | - |
The Success object
| Element | Type | Description |
|---|---|---|
| code | integer | The HTTP status code |
| message | string | Detailed message |
Response body JSON model
{
"details": {
"code": 1,
"message": "string"
}
}