Ingesting Raw Data

This endpoint should be used, when you are not in control of the request body, such as in the case of calling LogScale via a callback from another system.

http
POST /api/v1/ingest/raw

The body of the HTTP request will be interpreted as a single event, and parsed using the parser attached to the accompanying ingest token. Unless the parser created generates a @timestamp field, the @timestamp of the resulting event will equal @ingesttimestamp.

Note

This endpoint is not suited for ingesting a large number of events, and its usage should be restricted to relatively infrequent calls.

Example

When ingesting raw data, you can choose to authenticate by attaching your ingest token to the header:

Mac OS or Linux (curl)
shell
curl -v -X POST $YOUR_LOGSCALE_URL/api/v1/ingest/raw \
    -H "Authorization: Bearer $INGEST_TOKEN" \
    -d 'My raw Message generated at "2016-06-06T12:00:00+02:00"'
Mac OS or Linux (curl) One-line
shell
curl -v -X POST $YOUR_LOGSCALE_URL/api/v1/ingest/raw \
    -H "Authorization: Bearer $INGEST_TOKEN" \
    -d 'My raw Message generated at "2016-06-06T12:00:00+02:00"'
Windows Cmd and curl
shell
curl -v -X POST $YOUR_LOGSCALE_URL/api/v1/ingest/raw ^
    -H "Authorization: Bearer $INGEST_TOKEN" ^
    -d 'My raw Message generated at "2016-06-06T12:00:00+02:00"'
Windows Powershell and curl
powershell
curl.exe -X POST 
    -H "Authorization: Bearer $INGEST_TOKEN"
    -d 'My raw Message generated at "2016-06-06T12:00:00+02:00"'
    "$YOUR_LOGSCALE_URL/api/v1/ingest/raw"
Perl
perl
#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $INGEST_TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/api/v1/ingest/raw';

my $json = 'My raw Message generated at "2016-06-06T12:00:00+02:00"';
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $INGEST_TOKEN");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";
Python
python
#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/api/v1/ingest/raw'
mydata = r'''My raw Message generated at "2016-06-06T12:00:00+02:00"'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $INGEST_TOKEN"
}
)

print(resp.text)
Node.js
javascript
const https = require('https');

const data = JSON.stringify(
    My raw Message generated at "2016-06-06T12:00:00+02:00"
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL/api/v1/ingest/raw',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();
Mac OS or Linux (curl)
shell
curl -v -X POST $YOUR_LOGSCALE_URL/api/v1/ingest/raw/$INGEST_TOKEN \
    -d 'My raw Message generated at "2016-06-06T12:00:00+02:00"'
Mac OS or Linux (curl) One-line
shell
curl -v -X POST $YOUR_LOGSCALE_URL/api/v1/ingest/raw/$INGEST_TOKEN \
    -d 'My raw Message generated at "2016-06-06T12:00:00+02:00"'
Windows Cmd and curl
shell
curl -v -X POST $YOUR_LOGSCALE_URL/api/v1/ingest/raw/$INGEST_TOKEN ^
    -d 'My raw Message generated at "2016-06-06T12:00:00+02:00"'
Windows Powershell and curl
powershell
curl.exe -X POST 
    -d 'My raw Message generated at "2016-06-06T12:00:00+02:00"'
    "$YOUR_LOGSCALE_URL/api/v1/ingest/raw/$INGEST_TOKEN"
Perl
perl
#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $INGEST_TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/api/v1/ingest/raw/$INGEST_TOKEN';

my $json = 'My raw Message generated at "2016-06-06T12:00:00+02:00"';
my $req = HTTP::Request->new("POST", $uri );



$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";
Python
python
#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/api/v1/ingest/raw/$INGEST_TOKEN'
mydata = r'''My raw Message generated at "2016-06-06T12:00:00+02:00"'''

resp = requests.post(url,
                     data = mydata,
                     headers = {}
)

print(resp.text)
Node.js
javascript
const https = require('https');

const data = JSON.stringify(
    My raw Message generated at "2016-06-06T12:00:00+02:00"
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL/api/v1/ingest/raw/$INGEST_TOKEN',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

Important

When passing the ingest token as part of the URL, the token should not be considered as secret, as it may be logged in LogScale or in any proxy servers which process the request. Thus, CrowdStrike strongly recommends that you authenticate through the request header if possible.