You can use NerdGraph at api.newrelic.com/graphiql to create, query, and manage your parsing rules for logs. NerdGraph is our GraphQL-format API explorer.
Data parsing schema
Available parsing rule fields include:
Fields | Description |
---|---|
| Unique data parsing identifier. |
| The name of the parsing rule. |
| A description of what this parsing rule represents. |
| The Grok pattern for this parsing rule. For example, you can include the |
| The search value used from the New Relic UI; for example, |
| The New Relic account ID for the user. |
| The NRQL query string used for queries, if applicable; for example: |
| The user who created the rule. Optional: You can also include |
| The user who last updated the rule. Optional: You can also include |
| Whether or not this parsing rule is enabled. |
| Whether or not this parsing rule has been deleted. Deleting a parsing rule does not delete the already routed logs. |
Example query of log parsing rules
This NerdGraph API request example gets all of the parsing rules for a given account. In this example, all of the available fields are requested.
query { actor { account(id: YOUR_ACCOUNT_ID) { logConfigurations { parsingRules { accountId createdBy { email gravatar id name } deleted description enabled grok id lucene nrql updatedAt updatedBy { email gravatar id name } } } } }}
The response returned will look similar to this:
{ "data": { "actor": { "account": { "id": 12345678, "logConfigurations": { "parsingRules": [ { "accountId": 12345678, "createdBy": { "email": "myname@ncompany.com", "gravatar": "https://secure.gravatar.com/avatar/d0a88888888d666d111111111111111f", "id": 7777777, "name": "My Name" }, "deleted": false, "description": "Integer Test", "enabled": true, "grok": "source=%{NUMBER:test:int}", "id": "123", "lucene": , "nrql": "SELECT * FROM Log WHERE `logtype` = 'integer'", "updatedAt": "2021-08-23T17:25:06.553Z[UTC]", "updatedBy": { "email": "myname@ncompany.com", "gravatar": "https://secure.gravatar.com/avatar/d0a88888888d666d111111111111111f", "id": 7777777, "name": "My Name" } }...
Create parsing rules
This example creates a new log parsing rule. Before creating the rule, be sure to review the documentation about log parsing and built-in parsing rules.
mutation { logConfigurationsCreateParsingRule( accountId: YOUR_ACCOUNT_ID rule: { description: "example parsing rule" enabled: false grok: "sampleattribute=%{NUMBER:test:int}" lucene: "logtype:testLogs" nrql: "SELECT * FROM Log WHERE `logtype` = 'testLogs'" } ) { rule { id enabled description grok } errors { message type } }}
Update parsing rules
This example updates the parsing rule whose id
is "123"
. You can update any of the following fields as needed: description
, enabled
, grok
, lucene
, and nrql
.
mutation { logConfigurationsUpdateParsingRule( accountId: YOUR_ACCOUNT_ID rule: { description: "example parsing rule" enabled: false grok: "sampleattribute=%{NUMBER:test:int}" lucene: "logtype:testLogs" nrql: "SELECT * FROM Log WHERE `logtype` = 'testLogs'" } id: "123" ) { errors { message type } rule { id grok description enabled } }}
Delete parsing rules
Deleting a parsing rule doesn't delete data that has already been parsed. The data is retained for a given period of time defined by the retentionPolicy
field.
mutation { logConfigurationsDeleteParsingRule(accountId: YOUR_ACCOUNT_ID, id: "123") { errors { message type } }}