• 0

Querying alerts via API


Go to solution Solved by Stuart Weenig,

Question

Hi

I'm fairly new to APIs and would like a little help please. I am trying to query the LM API for specific alerts with Python. I am able to retrieve a full list of alerts via Python which is a good starting point. I was using the following doc:

https://www.logicmonitor.com/support/rest-api-developers-guide/v1/alerts/get-alerts

What I would like some help with is the following:

 - Is there a way to retrieve alerts only for a specific folder? We have customers under specific folders.
- How would I retrieve alerts with only a specific string in the resource name? E.g. all customer devices will have devicename.domain.com I would like to filter for only alerts of devices with *domain.com* in the resource name.
- How would you do multiple queries in one API call? e.g. a query with a filter, and a sort?

Thank you

 

 

 

Link to post
Share on other sites

9 answers to this question

Recommended Posts

  • 1
  • Administrators
1 minute ago, MrJ said:

 - Is there a way to retrieve alerts only for a specific folder? We have customers under specific folders.

Yes, you'd use the filter query parameter and the value of the parameter would be system.groups~Clients%2FNameofClient

3 minutes ago, MrJ said:

How would I retrieve alerts with only a specific string in the resource name? E.g. all customer devices will have devicename.domain.com I would like to filter for only alerts of devices with *domain.com* in the resource name.

You'd again use the filter query (not sure if/how to combine this with the above, would have to play with it): filter=displayName~domain.com

4 minutes ago, MrJ said:

- How would you do multiple queries in one API call? e.g. a query with a filter, and a sort?

You'd just pass multiple query parameters:

alert/alerts?filter=displayName~domain.com&sort=+displayName

 

Link to post
Share on other sites
  • 0

Thanks for the info, it doesn't seem to work for me unfortunately. It seems display every single alert for every customer no matter what I put. E.g.

 

#Request Info
httpVerb ='GET'
resourcePath = '/alert/alerts'
queryParams ='?v=2&?filter=displayName~domain.com' (I changed domain.com to the actual customer)
data = ''

I wasn't using the v2 API before but I was trying that as well above. 

Are there some working examples documented anywhere?

For the v2 API, does it display the data any different or is the only difference no support for basic auth?

Thanks

Link to post
Share on other sites
  • 0
  • Administrators
  • Solution
48 minutes ago, MrJ said:

For the v2 API, does it display the data any different or is the only difference no support for basic auth?

The data structure changes for v2 and some of the endpoints are different. Some more info here. The v2 REST documentation is here: https://www.logicmonitor.com/swagger-ui-master/dist/#/Alerts/getAlertList, but the filtering shouldn't be any different.

As far as why it's not working (meaning you're getting an http 200 but not filtered results), I am wondering if the filter can only affect those fields included in the response. That being the case, can you filter based on the value of `monitorObjectGroups`? Unfortunately, being end of quarter, I don't have the time to run any tests to figure out what works.

Link to post
Share on other sites
  • 0

I don't think you can directly filter out by resource group using the /alert/alerts/ filter, as the group name is contained within the monitorObjectGroups list/array within the results. But you should be able to save the results from all alerts then filter the results within your code. BUT if your looking for all the alerts for a particular resource group, you can use a different endpoint /device/groups/{id}/alerts/.

One tip about the API is that the portal itself used the API. If you bring up the browser developer console (F12) and go to the Network tab, and click around, you can see the API calls that the portal uses. For example you can click on the Alert tab for a group and see the /device/groups/{id}/alerts/ call.

  • Like 1
Link to post
Share on other sites
  • 0

Hey, oh ok thanks for clarifying. 

Oh that is really helpful. I was looking around in the portal to see if that was an option to show the API calls so that helps a lot. Thank you

Link to post
Share on other sites
  • 0
  • Administrators

Ok, was just forced to look at this for someone else and I couldn't get any filter to work using APIv2 (not sure why).

Also, the filters can only be applied on non-list fields in the response json. So, given the response:

{
  "items": [
    {
      "SDT": {},
      "ackComment": "string",
      "acked": true,
      "ackedBy": "string",
      "ackedEpoch": 0,
      "alertValue": "string",
      "chain": "string",
      "chainId": 0,
      "clearValue": "string",
      "cleared": true,
      "customColumns": {},
      "dataPointId": 0,
      "dataPointName": "string",
      "detailMessage": {},
      "endEpoch": 0,
      "id": "string",
      "instanceDescription": "string",
      "instanceId": 0,
      "instanceName": "string",
      "internalId": "string",
      "monitorObjectGroups": {},
      "monitorObjectId": 0,
      "monitorObjectName": "string",
      "monitorObjectType": "string",
      "nextRecipient": 0,
      "receivedList": "string",
      "resourceId": 0,
      "resourceTemplateId": 0,
      "resourceTemplateName": "string",
      "resourceTemplateType": "string",
      "rule": "string",
      "ruleId": 0,
      "sdted": true,
      "severity": 0,
      "startEpoch": 0,
      "subChainId": 0,
      "threshold": "string",
      "type": "string"
    }
  ],
  "searchId": "string",
  "total": 0
}

You should be able to write a filter like this:

/alert/alerts?filter=monitorObjectName~domain.com

The documentation states that you should be able to use the ~ operator for "contains", however in my testing, it seems that ~ (contains) behaves exactly the same as : (equals). If this is also your experience, I suggest you open a case with support as it's not working as documented.

Link to post
Share on other sites
  • 0

From what see ~ operator is for "includes" so I've always used it for substring/wildcard matches. There is a way to do list-like filtering actually (see https://communities.logicmonitor.com/topic/1709-get-lm-devicegroup-properties-rest-api/#comment-4129) but I can't get that work with with alerts right now; it might be specific to properties though. Also the alert endpoint is kinda weird in that is works a bit differently than other API calls, like how the the "total" can be a negative number.

May also be worth looking at an older forums post that talks about some oddness with multiple filters and ~ operator: https://communities.logicmonitor.com/topic/2153-how-to-use-the-~-includes-filter-operator

 

  • Like 1
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.