• 로그인무료 계정

NerdGraph tutorial: Manage log parsing rules

You can use NerdGraph at api.newrelic.com/graphiql to create, query, and manage your parsing rules for logs. NerdGraph is our GraphQL-format API explorer.

Data parsing schema

Available parsing rule fields include:

Fields

Description

id

Unique data parsing identifier.

parsingRules

The name of the parsing rule.

description

A description of what this parsing rule represents.

grok

The Grok pattern for this parsing rule. For example, you can include the logtype for the Grok pattern you are using with a built-in parsing rule, such as logtype = 'alb'. However, you are not limited to using logtype; any attribute can be used as matching criteria.

lucene

The search value used from the New Relic UI; for example, logtype:alb. For more information about valid Lucene functions in the New Relic UI, see our documentation about logs query syntax.

accountId

The New Relic account ID for the user.

nrql

The NRQL query used for queries, if applicable; for example:

"SELECT * FROM Log WHERE `logtype` = 'testLogs'"

createdBy

The user who created the rule. Optional: You can also include email, gravatar, id, and name with this.

updatedBy

The user who last updated the rule. Optional: You can also include email, gravatar, id, and name with this.

enabled

Whether or not this parsing rule is enabled.

deleted

Whether or not this parsing rule has been deleted. Deleting a parsing rule does not delete the already routed logs.

Example query of log parsing rules

This NerdGraph API request example gets all of the parsing rules for a given account. In this example, all of the available fields are requested.

query {
actor {
account(id: 12345678) {
logConfigurations {
parsingRules {
accountId
createdBy {
email
gravatar
id
name
}
deleted
description
enabled
grok
id
lucene
nrql
updatedAt
updatedBy {
email
gravatar
id
name
}
}
}
}
}
}

The response returned will look similar to this:

{
"data": {
"actor": {
"account": {
"id": 12345678,
"logConfigurations": {
"parsingRules": [
{
"accountId": 12345678,
"createdBy": {
"email": "myname@ncompany.com",
"gravatar": "https://secure.gravatar.com/avatar/d0a88888888d666d111111111111111f",
"id": 7777777,
"name": "My Name"
},
"deleted": false,
"description": "Integer Test",
"enabled": true,
"grok": "source=%{NUMBER:test:int}",
"id": "123",
"lucene": ,
"nrql": "SELECT * FROM Log WHERE `logtype` = 'integer'",
"updatedAt": "2021-08-23T17:25:06.553Z[UTC]",
"updatedBy": {
"email": "myname@ncompany.com",
"gravatar": "https://secure.gravatar.com/avatar/d0a88888888d666d111111111111111f",
"id": 7777777,
"name": "My Name"
}
}
...

Create parsing rules

This example creates a new log parsing rule. Before creating the rule, be sure to review the documentation about log parsing and built-in parsing rules.

mutation {
logConfigurationsCreateParsingRule(
accountId: 12345678
rule: {
description: "example parsing rule"
enabled: false
grok: "sampleattribute=%{NUMBER:test:int}"
lucene: "logtype:testLogs"
nrql: "SELECT * FROM Log WHERE `logtype` = 'testLogs'"
}
) {
rule {
id
enabled
description
grok
}
errors {
message
type
}
}
}

Update parsing rules

This example updates the parsing rule whose id is "123". You can update any of the following fields as needed: description, enabled, grok, lucene, and nrql.

mutation {
logConfigurationsUpdateParsingRule(
accountId: 12345678
rule: {
description: "example parsing rule"
enabled: false
grok: "sampleattribute=%{NUMBER:test:int}"
lucene: "logtype:testLogs"
nrql: "SELECT * FROM Log WHERE `logtype` = 'testLogs'"
}
id: "123"
) {
errors {
message
type
}
rule {
id
grok
description
enabled
}
}
}

Delete parsing rules

Deleting a parsing rule doesn't delete data that has already been parsed. The data is retained for a given period of time defined by the retentionPolicy field.

mutation {
logConfigurationsDeleteParsingRule(accountId: 123456789, id: "123") {
errors {
message
type
}
}
}
Copyright © 2022 New Relic Inc.