Get Log Schema

Retrieves data structure for a specified log schema.

HTTP Request

GET /api/sonar/log-schemas/:code
Request using cURL
curl -H "Authorization: Bearer <API_KEY>" \
     https://HOSTNAME/api/sonar/log-schemas/session
Request Parameter
KeyRequiredTypeDescriptionNote
codeOStringLog schema code

Success Response

Below is an example of retrieving the session log schema.

{
  "schema": {
    "code": "session",
    "name": "Session",
    "description": "Firewall traffic or flow log.",
    "created": "2022-09-01 00:31:13+0900",
    "fields": [
      {
        "name": "_time",
        "display_name": "Time",
        "type": "DATE",
        "ordinal": 1
      },
      {
        "name": "src_ip",
        "display_name": "Source IP",
        "type": "IP",
        "ordinal": 2
      },
      {
        "name": "src_port",
        "display_name": "Source Port",
        "type": "PORT",
        "ordinal": 3
      },
      {
        "name": "dst_ip",
        "display_name": "Destination IP",
        "type": "IP",
        "ordinal": 4
      },
      {
        "name": "dst_port",
        "display_name": "Destination Port",
        "type": "PORT",
        "ordinal": 5
      },
      {
        "name": "protocol",
        "display_name": "Protocol",
        "type": "STRING",
        "ordinal": 6
      },
      {
        "name": "app",
        "display_name": "App",
        "type": "STRING",
        "ordinal": 7
      },
      {
        "name": "action",
        "display_name": "Action",
        "type": "STRING",
        "ordinal": 8
      },
      {
        "name": "nat_src_ip",
        "display_name": "NAT Source IP",
        "type": "IP",
        "ordinal": 9
      },
      {
        "name": "nat_src_port",
        "display_name": "NAT Source Port",
        "type": "PORT",
        "ordinal": 10
      },
      {
        "name": "nat_dst_ip",
        "display_name": "NAT Destination IP",
        "type": "IP",
        "ordinal": 11
      },
      {
        "name": "nat_dst_port",
        "display_name": "NAT Destination Port",
        "type": "PORT",
        "ordinal": 12
      },
      {
        "name": "policy",
        "display_name": "Policy",
        "type": "STRING",
        "ordinal": 13
      },
      {
        "name": "duration",
        "display_name": "Duration",
        "type": "LONG",
        "ordinal": 14
      },
      {
        "name": "total_bytes",
        "display_name": "Bytes",
        "type": "STRING",
        "ordinal": 15
      },
      {
        "name": "total_pkts",
        "display_name": "Packets",
        "type": "STRING",
        "ordinal": 16
      },
      {
        "name": "sent_pkts",
        "display_name": "Sent Packets",
        "type": "LONG",
        "ordinal": 17
      },
      {
        "name": "rcvd_pkts",
        "display_name": "Received Packets",
        "type": "LONG",
        "ordinal": 18
      },
      {
        "name": "sent_bytes",
        "display_name": "Sent Bytes",
        "type": "LONG",
        "ordinal": 19
      },
      {
        "name": "rcvd_bytes",
        "display_name": "Received Bytes",
        "type": "LONG",
        "ordinal": 20
      },
      {
        "name": "src_country",
        "display_name": "Source Country",
        "type": "COUNTRY",
        "ordinal": 21
      },
      {
        "name": "dst_country",
        "display_name": "Destination Country",
        "type": "COUNTRY",
        "ordinal": 22
      }
    ]
  }
}
  • schema (Map): Log schema definition
    • code (String): Code
    • name (String): Name
    • description (String): Description
    • created (String): Date and time of creation (yyyy-MM-dd HH:mm:ssZ)
    • fields (Array): List of normalized field definitions
      • name (String): Field name
      • display_name (String): Display name
      • type (String): Type. One of the following: DATE, STRING, IP, PORT, INT, LONG, DOUBLE, COUNTRY, MD5, SHA1, URL.
      • ordinal (32-bit integer): Field display order

Error Responses

Log schema is not found

HTTP status code 200

{
  "schema": null
}