{
"log_ingest_config": {
"created_at": "2023-11-07T05:31:56Z",
"field_normalization": {
"custom_field_normalization": [
{
"normalization": {
"default_value": "<string>",
"sanitize_patterns": [
"<string>"
],
"source": [
{
"selector": "<string>"
}
],
"value_map": {}
},
"target": "<string>"
}
],
"message": {
"default_value": "<string>",
"sanitize_patterns": [
"<string>"
],
"source": [
{
"selector": "<string>"
}
],
"value_map": {}
},
"primary_key": {
"normalization": {
"default_value": "<string>",
"sanitize_patterns": [
"<string>"
],
"source": [
{
"selector": "<string>"
}
],
"value_map": {}
},
"target": "<string>"
},
"severity": {
"default_value": "<string>",
"sanitize_patterns": [
"<string>"
],
"source": [
{
"selector": "<string>"
}
],
"value_map": {}
},
"timestamp": {
"source": [
{
"selector": "<string>"
}
]
}
},
"field_parsers": [
{
"destination": {
"selector": "<string>"
},
"mode": "ENABLED",
"parser": {
"key_value_parser": {
"delimiter": "<string>",
"pair_separator": "<string>",
"trim_set": "<string>"
},
"parser_type": "JSON",
"regex_parser": {
"regex": "<string>"
}
},
"source": {
"selector": "<string>"
}
}
],
"plaintext_parsers": [
{
"keep_original": true,
"mode": "ENABLED",
"name": "<string>",
"parser": {
"key_value_parser": {
"delimiter": "<string>",
"pair_separator": "<string>",
"trim_set": "<string>"
},
"parser_type": "JSON",
"regex_parser": {
"regex": "<string>"
}
}
}
],
"updated_at": "2023-11-07T05:31:56Z"
}
}CreateLogIngestConfig
{
"log_ingest_config": {
"created_at": "2023-11-07T05:31:56Z",
"field_normalization": {
"custom_field_normalization": [
{
"normalization": {
"default_value": "<string>",
"sanitize_patterns": [
"<string>"
],
"source": [
{
"selector": "<string>"
}
],
"value_map": {}
},
"target": "<string>"
}
],
"message": {
"default_value": "<string>",
"sanitize_patterns": [
"<string>"
],
"source": [
{
"selector": "<string>"
}
],
"value_map": {}
},
"primary_key": {
"normalization": {
"default_value": "<string>",
"sanitize_patterns": [
"<string>"
],
"source": [
{
"selector": "<string>"
}
],
"value_map": {}
},
"target": "<string>"
},
"severity": {
"default_value": "<string>",
"sanitize_patterns": [
"<string>"
],
"source": [
{
"selector": "<string>"
}
],
"value_map": {}
},
"timestamp": {
"source": [
{
"selector": "<string>"
}
]
}
},
"field_parsers": [
{
"destination": {
"selector": "<string>"
},
"mode": "ENABLED",
"parser": {
"key_value_parser": {
"delimiter": "<string>",
"pair_separator": "<string>",
"trim_set": "<string>"
},
"parser_type": "JSON",
"regex_parser": {
"regex": "<string>"
}
},
"source": {
"selector": "<string>"
}
}
],
"plaintext_parsers": [
{
"keep_original": true,
"mode": "ENABLED",
"name": "<string>",
"parser": {
"key_value_parser": {
"delimiter": "<string>",
"pair_separator": "<string>",
"trim_set": "<string>"
},
"parser_type": "JSON",
"regex_parser": {
"regex": "<string>"
}
}
}
],
"updated_at": "2023-11-07T05:31:56Z"
}
}Authorizations
Chronosphere API token
Body
If true, validates the specified configuration without creating the LogIngestConfig. If the specified configuration is valid, the endpoint returns a partial response without the LogIngestConfig. If the specified configuration is invalid, the endpoint returns an error.
The LogIngestConfig to create.
Show child attributes
Show child attributes
Maps and normalizes well-known fields from parsed logs.
Show child attributes
Show child attributes
Maps additional custom fields from your logs. These will not be indexed. Use these for any other fields you want to normalize, such as environment, region, or user ID.
Show child attributes
Show child attributes
The normalization configuration for this field.
Show child attributes
Show child attributes
Default value to use when no source fields contain values.
Optional regex patterns to extract and sanitize values. Each pattern must have exactly one capturing group that will be used as the result. For example: "^.level=([A-Z]+).$" to extract log level from a string.
List of field paths to check for values, in priority order. The first non-empty value found will be used.
Show child attributes
Show child attributes
The log filter used to indicate the field path. Use parent[child] syntax to
indicate nesting.
Optional mapping to normalize values. For example: {"warn": "WARNING", "err": "ERROR"} to standardize severity levels.
Show child attributes
Show child attributes
The name of the target field where the normalized value will be stored.
Maps the main message field from your logs. This is typically the human-readable description of the log event.
Show child attributes
Show child attributes
Default value to use when no source fields contain values.
Optional regex patterns to extract and sanitize values. Each pattern must have exactly one capturing group that will be used as the result. For example: "^.level=([A-Z]+).$" to extract log level from a string.
List of field paths to check for values, in priority order. The first non-empty value found will be used.
Show child attributes
Show child attributes
The log filter used to indicate the field path. Use parent[child] syntax to
indicate nesting.
Maps the primary identifier field from your logs (e.g., service name, application name). The mapped value will be indexed and can be used for filtering and grouping. Currently this is limitied to "service" field.
Show child attributes
Show child attributes
The normalization configuration for this field.
Show child attributes
Show child attributes
Default value to use when no source fields contain values.
Optional regex patterns to extract and sanitize values. Each pattern must have exactly one capturing group that will be used as the result. For example: "^.level=([A-Z]+).$" to extract log level from a string.
List of field paths to check for values, in priority order. The first non-empty value found will be used.
Show child attributes
Show child attributes
The log filter used to indicate the field path. Use parent[child] syntax to
indicate nesting.
Optional mapping to normalize values. For example: {"warn": "WARNING", "err": "ERROR"} to standardize severity levels.
Show child attributes
Show child attributes
The name of the target field where the normalized value will be stored.
Maps severity or log level fields (e.g., ERROR, WARN, INFO, DEBUG). Use value mapping to normalize different severity formats across your logs.
Show child attributes
Show child attributes
Default value to use when no source fields contain values.
Optional regex patterns to extract and sanitize values. Each pattern must have exactly one capturing group that will be used as the result. For example: "^.level=([A-Z]+).$" to extract log level from a string.
List of field paths to check for values, in priority order. The first non-empty value found will be used.
Show child attributes
Show child attributes
The log filter used to indicate the field path. Use parent[child] syntax to
indicate nesting.
Maps timestamp fields from your logs to ensure consistent time ordering. The system will try each specified field in order until a valid timestamp is found.
Show child attributes
Show child attributes
List of field paths to check for timestamp values, in priority order. Common fields include "timestamp", "@timestamp", "time", "datetime".
Show child attributes
Show child attributes
The log filter used to indicate the field path. Use parent[child] syntax to
indicate nesting.
The parsers to apply to specific fields within structured logs or plaintext logs after those logs are parsed.
Show child attributes
Show child attributes
The destination field for storing parsed structured data. If the specified key already exists, its value is overwritten. If this value is unset, the log is updated at the root level and any conflicting keys are overwritten.
Show child attributes
Show child attributes
The log filter used to indicate the field path. Use parent[child] syntax to
indicate nesting.
Specifies whether the field parser is enabled or disabled.
ENABLED, DISABLED The parser to apply to the source field.
Show child attributes
Show child attributes
A parser to extract key/value pairs from a string. If duplicate keys are found, the first instance is used.
Show child attributes
Show child attributes
The string for splitting the input into key/value pairs.
The string for splitting each pair into its key and value.
Specifies the code points of any Unicode characters to trim from the beginning and end of keys and values.
The type of parser to use.
JSON, REGEX, KEY_VALUE This object contains settings relevant to REGEX parsers.
Show child attributes
Show child attributes
The regular expression parser pattern to apply. Must use RE2 syntax. Named capturing groups become named fields in the extracted log.
The parsers to apply to plaintext logs. The first parser that matches the log is used.
Show child attributes
Show child attributes
If true, the original log is retained after parsing and stored in the
key plaintext_log. If false, the original log is dropped after parsing.
Default value: false.
Specifies whether the parser is enabled or disabled.
ENABLED, DISABLED The name of the parser. Must be unique within the configuration.
The parser configuration to apply to plaintext logs.
Show child attributes
Show child attributes
A parser to extract key/value pairs from a string. If duplicate keys are found, the first instance is used.
Show child attributes
Show child attributes
The string for splitting the input into key/value pairs.
The string for splitting each pair into its key and value.
Specifies the code points of any Unicode characters to trim from the beginning and end of keys and values.
The type of parser to use.
JSON, REGEX, KEY_VALUE This object contains settings relevant to REGEX parsers.
Show child attributes
Show child attributes
The regular expression parser pattern to apply. Must use RE2 syntax. Named capturing groups become named fields in the extracted log.
Response
A successful response containing the created LogIngestConfig.
LogIngestConfig is a singleton configuration object that specifies the configuration for log ingest.
Show child attributes
Show child attributes
Timestamp of when the LogIngestConfig was created. Cannot be set by clients.
Maps and normalizes well-known fields from parsed logs.
Show child attributes
Show child attributes
Maps additional custom fields from your logs. These will not be indexed. Use these for any other fields you want to normalize, such as environment, region, or user ID.
Show child attributes
Show child attributes
The normalization configuration for this field.
Show child attributes
Show child attributes
Default value to use when no source fields contain values.
Optional regex patterns to extract and sanitize values. Each pattern must have exactly one capturing group that will be used as the result. For example: "^.level=([A-Z]+).$" to extract log level from a string.
List of field paths to check for values, in priority order. The first non-empty value found will be used.
Show child attributes
Show child attributes
The log filter used to indicate the field path. Use parent[child] syntax to
indicate nesting.
Optional mapping to normalize values. For example: {"warn": "WARNING", "err": "ERROR"} to standardize severity levels.
Show child attributes
Show child attributes
The name of the target field where the normalized value will be stored.
Maps the main message field from your logs. This is typically the human-readable description of the log event.
Show child attributes
Show child attributes
Default value to use when no source fields contain values.
Optional regex patterns to extract and sanitize values. Each pattern must have exactly one capturing group that will be used as the result. For example: "^.level=([A-Z]+).$" to extract log level from a string.
List of field paths to check for values, in priority order. The first non-empty value found will be used.
Show child attributes
Show child attributes
The log filter used to indicate the field path. Use parent[child] syntax to
indicate nesting.
Maps the primary identifier field from your logs (e.g., service name, application name). The mapped value will be indexed and can be used for filtering and grouping. Currently this is limitied to "service" field.
Show child attributes
Show child attributes
The normalization configuration for this field.
Show child attributes
Show child attributes
Default value to use when no source fields contain values.
Optional regex patterns to extract and sanitize values. Each pattern must have exactly one capturing group that will be used as the result. For example: "^.level=([A-Z]+).$" to extract log level from a string.
List of field paths to check for values, in priority order. The first non-empty value found will be used.
Show child attributes
Show child attributes
The log filter used to indicate the field path. Use parent[child] syntax to
indicate nesting.
Optional mapping to normalize values. For example: {"warn": "WARNING", "err": "ERROR"} to standardize severity levels.
Show child attributes
Show child attributes
The name of the target field where the normalized value will be stored.
Maps severity or log level fields (e.g., ERROR, WARN, INFO, DEBUG). Use value mapping to normalize different severity formats across your logs.
Show child attributes
Show child attributes
Default value to use when no source fields contain values.
Optional regex patterns to extract and sanitize values. Each pattern must have exactly one capturing group that will be used as the result. For example: "^.level=([A-Z]+).$" to extract log level from a string.
List of field paths to check for values, in priority order. The first non-empty value found will be used.
Show child attributes
Show child attributes
The log filter used to indicate the field path. Use parent[child] syntax to
indicate nesting.
Maps timestamp fields from your logs to ensure consistent time ordering. The system will try each specified field in order until a valid timestamp is found.
Show child attributes
Show child attributes
List of field paths to check for timestamp values, in priority order. Common fields include "timestamp", "@timestamp", "time", "datetime".
Show child attributes
Show child attributes
The log filter used to indicate the field path. Use parent[child] syntax to
indicate nesting.
The parsers to apply to specific fields within structured logs or plaintext logs after those logs are parsed.
Show child attributes
Show child attributes
The destination field for storing parsed structured data. If the specified key already exists, its value is overwritten. If this value is unset, the log is updated at the root level and any conflicting keys are overwritten.
Show child attributes
Show child attributes
The log filter used to indicate the field path. Use parent[child] syntax to
indicate nesting.
Specifies whether the field parser is enabled or disabled.
ENABLED, DISABLED The parser to apply to the source field.
Show child attributes
Show child attributes
A parser to extract key/value pairs from a string. If duplicate keys are found, the first instance is used.
Show child attributes
Show child attributes
The string for splitting the input into key/value pairs.
The string for splitting each pair into its key and value.
Specifies the code points of any Unicode characters to trim from the beginning and end of keys and values.
The type of parser to use.
JSON, REGEX, KEY_VALUE This object contains settings relevant to REGEX parsers.
Show child attributes
Show child attributes
The regular expression parser pattern to apply. Must use RE2 syntax. Named capturing groups become named fields in the extracted log.
The parsers to apply to plaintext logs. The first parser that matches the log is used.
Show child attributes
Show child attributes
If true, the original log is retained after parsing and stored in the
key plaintext_log. If false, the original log is dropped after parsing.
Default value: false.
Specifies whether the parser is enabled or disabled.
ENABLED, DISABLED The name of the parser. Must be unique within the configuration.
The parser configuration to apply to plaintext logs.
Show child attributes
Show child attributes
A parser to extract key/value pairs from a string. If duplicate keys are found, the first instance is used.
Show child attributes
Show child attributes
The string for splitting the input into key/value pairs.
The string for splitting each pair into its key and value.
Specifies the code points of any Unicode characters to trim from the beginning and end of keys and values.
The type of parser to use.
JSON, REGEX, KEY_VALUE This object contains settings relevant to REGEX parsers.
Show child attributes
Show child attributes
The regular expression parser pattern to apply. Must use RE2 syntax. Named capturing groups become named fields in the extracted log.
Timestamp of when the LogIngestConfig was last updated. Cannot be set by clients.