Forum Discussion

MrJ's avatar
4 years ago
Solved

Querying alerts via API

Hi

I'm fairly new to APIs and would like a little help please. I am trying to query the LM API for specific alerts with Python. I am able to retrieve a full list of alerts via Python which is a good starting point. I was using the following doc:

https://www.logicmonitor.com/support/rest-api-developers-guide/v1/alerts/get-alerts

What I would like some help with is the following:

 - Is there a way to retrieve alerts only for a specific folder? We have customers under specific folders.
- How would I retrieve alerts with only a specific string in the resource name? E.g. all customer devices will have devicename.domain.com I would like to filter for only alerts of devices with *domain.com* in the resource name.
- How would you do multiple queries in one API call? e.g. a query with a filter, and a sort?

Thank you

 

 

 

  • Anonymous's avatar
    Anonymous
    4 years ago
    48 minutes ago, MrJ said:

    For the v2 API, does it display the data any different or is the only difference no support for basic auth?

    The data structure changes for v2 and some of the endpoints are different. Some more info here. The v2 REST documentation is here: https://www.logicmonitor.com/swagger-ui-master/dist/#/Alerts/getAlertList, but the filtering shouldn't be any different.

    As far as why it's not working (meaning you're getting an http 200 but not filtered results), I am wondering if the filter can only affect those fields included in the response. That being the case, can you filter based on the value of `monitorObjectGroups`? Unfortunately, being end of quarter, I don't have the time to run any tests to figure out what works.

9 Replies

  • Anonymous's avatar
    Anonymous
    1 minute ago, MrJ said:

     - Is there a way to retrieve alerts only for a specific folder? We have customers under specific folders.

    Yes, you'd use the filter query parameter and the value of the parameter would be system.groups~Clients%2FNameofClient

    3 minutes ago, MrJ said:

    How would I retrieve alerts with only a specific string in the resource name? E.g. all customer devices will have devicename.domain.com I would like to filter for only alerts of devices with *domain.com* in the resource name.

    You'd again use the filter query (not sure if/how to combine this with the above, would have to play with it): filter=displayName~domain.com

    4 minutes ago, MrJ said:

    - How would you do multiple queries in one API call? e.g. a query with a filter, and a sort?

    You'd just pass multiple query parameters:

    alert/alerts?filter=displayName~domain.com&sort=+displayName

     

  • Thanks for the info, it doesn't seem to work for me unfortunately. It seems display every single alert for every customer no matter what I put. E.g.

     

    #Request Info
    httpVerb ='GET'
    resourcePath = '/alert/alerts'
    queryParams ='?v=2&?filter=displayName~domain.com' (I changed domain.com to the actual customer)
    data = ''
    
    I wasn't using the v2 API before but I was trying that as well above. 

    Are there some working examples documented anywhere?

    For the v2 API, does it display the data any different or is the only difference no support for basic auth?

    Thanks

  • Anonymous's avatar
    Anonymous
    48 minutes ago, MrJ said:

    For the v2 API, does it display the data any different or is the only difference no support for basic auth?

    The data structure changes for v2 and some of the endpoints are different. Some more info here. The v2 REST documentation is here: https://www.logicmonitor.com/swagger-ui-master/dist/#/Alerts/getAlertList, but the filtering shouldn't be any different.

    As far as why it's not working (meaning you're getting an http 200 but not filtered results), I am wondering if the filter can only affect those fields included in the response. That being the case, can you filter based on the value of `monitorObjectGroups`? Unfortunately, being end of quarter, I don't have the time to run any tests to figure out what works.

  • I don't think you can directly filter out by resource group using the /alert/alerts/ filter, as the group name is contained within the monitorObjectGroups list/array within the results. But you should be able to save the results from all alerts then filter the results within your code. BUT if your looking for all the alerts for a particular resource group, you can use a different endpoint /device/groups/{id}/alerts/.

    One tip about the API is that the portal itself used the API. If you bring up the browser developer console (F12) and go to the Network tab, and click around, you can see the API calls that the portal uses. For example you can click on the Alert tab for a group and see the /device/groups/{id}/alerts/ call.

  • Hey, oh ok thanks for clarifying. 

    Oh that is really helpful. I was looking around in the portal to see if that was an option to show the API calls so that helps a lot. Thank you

  • Anonymous's avatar
    Anonymous

    Ok, was just forced to look at this for someone else and I couldn't get any filter to work using APIv2 (not sure why).

    Also, the filters can only be applied on non-list fields in the response json. So, given the response:

    {
      "items": [
        {
          "SDT": {},
          "ackComment": "string",
          "acked": true,
          "ackedBy": "string",
          "ackedEpoch": 0,
          "alertValue": "string",
          "chain": "string",
          "chainId": 0,
          "clearValue": "string",
          "cleared": true,
          "customColumns": {},
          "dataPointId": 0,
          "dataPointName": "string",
          "detailMessage": {},
          "endEpoch": 0,
          "id": "string",
          "instanceDescription": "string",
          "instanceId": 0,
          "instanceName": "string",
          "internalId": "string",
          "monitorObjectGroups": {},
          "monitorObjectId": 0,
          "monitorObjectName": "string",
          "monitorObjectType": "string",
          "nextRecipient": 0,
          "receivedList": "string",
          "resourceId": 0,
          "resourceTemplateId": 0,
          "resourceTemplateName": "string",
          "resourceTemplateType": "string",
          "rule": "string",
          "ruleId": 0,
          "sdted": true,
          "severity": 0,
          "startEpoch": 0,
          "subChainId": 0,
          "threshold": "string",
          "type": "string"
        }
      ],
      "searchId": "string",
      "total": 0
    }

    You should be able to write a filter like this:

    /alert/alerts?filter=monitorObjectName~domain.com

    The documentation states that you should be able to use the ~ operator for "contains", however in my testing, it seems that ~ (contains) behaves exactly the same as : (equals). If this is also your experience, I suggest you open a case with support as it's not working as documented.

  • From what see ~ operator is for "includes" so I've always used it for substring/wildcard matches. There is a way to do list-like filtering actually (see a href="https://communities.logicmonitor.com/topic/1709-get-lm-devicegroup-properties-rest-api/#comment-4129" rel="">https://communities.logicmonitor.com/topic/1709-get-lm-devicegroup-properties-rest-api/#comment-4129) but I can't get that work with with alerts right now; it might be specific to properties though. Also the alert endpoint is kinda weird in that is works a bit differently than other API calls, like how the the "total" can be a negative number.

    May also be worth looking at an older forums post that talks about some oddness with multiple filters and ~ operator: a href="https://communities.logicmonitor.com/topic/2153-how-to-use-the-~-includes-filter-operator" rel="">https://communities.logicmonitor.com/topic/2153-how-to-use-the-~-includes-filter-operator

     

  • Thanks both for your help, appreciated. Thought it was just me but good to know it wasn't.