Ingesting Structured Data
This API should be used when data is already structured, and you have control over formatting data in the client. Examples include:
Security logs: sending structured security events with fields such as
username,action,results, andip_address.Application logs: structured data including fields such as
response_time,request_id,status_code, andendpoint.Operational metrics: Logs from infrastructure with structured fields such as
cpu_usage,memory_usage, anddisk_io.
While structured data is typically in JSON format, and parsed on this endpoint automatically, additional parsing is possible by attaching a parser to the ingest token used by the client. This is useful where you have fields in the JSON object that would benefit from further parsing, potentially from a custom parser. For example, the following, while JSON, could benefit from further parsing, although using regular expression pattern matching in a query could also be used:
{
"cpu_info": "14:00 up 4 days, 2:48, 5 users, load averages: 1.83 2.00 2.32",
"mem_info": "PhysMem: 15G used (1664M wired, 2712M compressor), 478M unused."
}Event data is posted to the endpoint, authenticated with an appropriate Ingest Token:
POST /api/v1/ingest/humio-structuredThe event data has a JSON format described in the next section, and tag metadata can be added for greater querying efficiency.
Events
When sending a request, you can set the following standard fields:
| Name | Required | Description |
|---|---|---|
| timestamp | yes |
You can specify the timestamp in two formats:
|
| timezone | no | The timezone is only required if you specify the timestamp in milliseconds. The timezone specifies the local timezone for the event. Note that you must still specify the timestamp as an integer in UTC time. |
| attributes | no |
A JSON object representing key-value pairs for the Event. These
key-value pairs add metadata to Events, making it easier to
search. Attributes can be nested JSON objects, however,
CrowdStrike recommends limiting the amount of nesting. These
attributes become user fields on ingestion. If you do not
provide the rawstring field, then the
@rawstring is a JSON representation of the
attributes field.
|
| rawstring | no |
The raw string representing the Event. This is translated to a
@rawstring on ingestion. If you do not
provide the rawstring field, then the
@rawstring is a JSON representation of the
attributes field.
|
| tags | no | Tags are metadata that can help with querying, performance, and storage efficiency. Any tags specified here become tags such as #mytagname on ingestion. |
Below are some examples of events:
{
"timestamp": "2016-06-06T12:00:00+02:00",
"attributes": {
"key1": "value1",
"key2": "value2"
}
}{
"timestamp": 1466105321,
"attributes": {
"service": "coordinator"
},
"rawstring": "starting service coordinator"
}{
"timestamp": 1466105321,
"timezone": "Europe/Copenhagen",
"attributes": {
"service": "coordinator"
},
"rawstring": "starting service coordinator"
}{
"timestamp": "2016-06-06T12:00:01+02:00",
"rawstring": "starting service=coordinator transactionid=42"
}Example
curl -v -X POST $YOUR_LOGSCALE_URL/api/v1/ingest/humio-structured \
-H "Authorization: Bearer $INGEST_TOKEN" \
-H "Content-Type: application/json" \
-d @- << EOF
[
{
"tags": {
"host": "myserver"
},
"events": [
{
"timestamp": "2016-06-06T12:00:00+02:00",
"attributes": {
"key1": "value1"
}
}
]
}
]
EOFcurl -v -X POST $YOUR_LOGSCALE_URL/api/v1/ingest/humio-structured \
-H "Authorization: Bearer $INGEST_TOKEN" \
-H "Content-Type: application/json" \
-d @- << EOF
[
{
"tags": {
"host": "myserver"
},
"events": [
{
"timestamp": "2016-06-06T12:00:00+02:00",
"attributes": {
"key1": "value1"
}
}
]
}
]
EOFcurl -v -X POST $YOUR_LOGSCALE_URL/api/v1/ingest/humio-structured ^
-H "Authorization: Bearer $INGEST_TOKEN" ^
-H "Content-Type: application/json" ^
-d @'[ ^
{ ^
"tags": { ^
"host": "myserver" ^
}, ^
"events": [ ^
{ ^
"timestamp": "2016-06-06T12:00:00+02:00", ^
"attributes": { ^
"key1": "value1" ^
} ^
} ^
] ^
} ^
] 'curl.exe -X POST
-H "Authorization: Bearer $INGEST_TOKEN"
-H "Content-Type: application/json"
-d '[
{
"tags": {
"host": "myserver"
},
"events": [
{
"timestamp": "2016-06-06T12:00:00+02:00",
"attributes": {
"key1": "value1"
}
}
]
}
]'
"$YOUR_LOGSCALE_URL/api/v1/ingest/humio-structured"#!/usr/bin/perl
use HTTP::Request;
use LWP;
my $INGEST_TOKEN = "TOKEN";
my $uri = '$YOUR_LOGSCALE_URL/api/v1/ingest/humio-structured';
my $json = '[
{
"tags": {
"host": "myserver"
},
"events": [
{
"timestamp": "2016-06-06T12:00:00+02:00",
"attributes": {
"key1": "value1"
}
}
]
}
]';
my $req = HTTP::Request->new("POST", $uri );
$req->header("Authorization" => "Bearer $INGEST_TOKEN");
$req->header("Content-Type" => "application/json");
$req->content( $json );
my $lwp = LWP::UserAgent->new;
my $result = $lwp->request( $req );
print $result->{"_content"},"\n";#! /usr/local/bin/python3
import requests
url = '$YOUR_LOGSCALE_URL/api/v1/ingest/humio-structured'
mydata = r'''[
{
"tags": {
"host": "myserver"
},
"events": [
{
"timestamp": "2016-06-06T12:00:00+02:00",
"attributes": {
"key1": "value1"
}
}
]
}
]'''
resp = requests.post(url,
data = mydata,
headers = {
"Authorization" : "Bearer $INGEST_TOKEN",
"Content-Type" : "application/json"
}
)
print(resp.text)const https = require('https');
const data = JSON.stringify(
[
{
"tags": {
"host": "myserver"
},
"events": [
{
"timestamp": "2016-06-06T12:00:00+02:00",
"attributes": {
"key1": "value1"
}
}
]
}
]
);
const options = {
hostname: '$YOUR_LOGSCALE_URL/api/v1/ingest/humio-structured',
path: '/graphql',
port: 443,
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Content-Length': data.length,
Authorization: 'BEARER ' + process.env.TOKEN,
'User-Agent': 'Node',
},
};
const req = https.request(options, (res) => {
let data = '';
console.log(`statusCode: ${res.statusCode}`);
res.on('data', (d) => {
data += d;
});
res.on('end', () => {
console.log(JSON.parse(data).data);
});
});
req.on('error', (error) => {
console.error(error);
});
req.write(data);
req.end();Response
For responses see Standard HTTP response codes.