Sumo Logic
Getting Started
Welcome to the Sumo Logic API reference. You can use these APIs to interact with the Sumo Logic platform. For information on Collector and Search Job APIs, see our API home page.
API Endpoints
Sumo Logic has several deployments in different geographic locations. You'll need to use the Sumo Logic API endpoint corresponding to your geographic location. See the table below for the different API endpoints by deployment. For details determining your account's deployment, see API endpoints.
| Deployment | Endpoint |
| AU | https://api.au.sumologic.com/api/ |
| CA | https://api.ca.sumologic.com/api/ |
| DE | https://api.de.sumologic.com/api/ |
| EU | https://api.eu.sumologic.com/api/ |
| FED | https://api.fed.sumologic.com/api/ |
| IN | https://api.in.sumologic.com/api/ |
| JP | https://api.jp.sumologic.com/api/ |
| KR | https://api.kr.sumologic.com/api/ |
| US1 | https://api.sumologic.com/api/ |
| US2 | https://api.us2.sumologic.com/api/ |
Authentication
Sumo Logic supports the following options for API authentication:
- Access ID and Access Key
- Base64 encoded Access ID and Access Key
See Access Keys to generate an Access Key. Make sure to copy the key you create, because it is displayed only once. When you have an Access ID and Access Key you can execute requests such as the following:
curl -u "<accessId>:<accessKey>" -X GET https://api.<deployment>.sumologic.com/api/v1/users
Where deployment is either au, ca, de, eu, fed, in, jp, us1, or us2. See API endpoints for details.
If you prefer to use basic access authentication, you can do a Base64 encoding of your <accessId>:<accessKey> to authenticate your HTTPS request. The following is an example request, replace the placeholder <encoded> with your encoded Access ID and Access Key string:
curl -H "Authorization: Basic <encoded>" -X GET https://api.<deployment>.sumologic.com/api/v1/users
Refer to API Authentication for a Base64 example.
Status Codes
Generic status codes that apply to all our APIs. See the HTTP status code registry for reference.
| HTTP Status Code | Error Code | Description |
| 301 | moved | The requested resource SHOULD be accessed through returned URI in Location Header. See [troubleshooting](https://help.sumologic.com/docs/api/troubleshooting/#api---301-error---moved) for details. |
| 401 | unauthorized | Credential could not be verified. |
| 403 | forbidden | This operation is not allowed for your account type or the user doesn't have the role capability to perform this action. See [troubleshooting](https://help.sumologic.com/docs/api/troubleshooting/#api---401-error---credential-could-not-be-verified) for details. |
| 404 | notfound | Requested resource could not be found. |
| 405 | method.unsupported | Unsupported method for URL. |
| 415 | contenttype.invalid | Invalid content type. |
| 429 | rate.limit.exceeded | The API request rate is higher than 4 request per second or inflight API requests are higher than 10 request per second. |
| 500 | internal.error | Internal server error. |
| 503 | service.unavailable | Service is currently unavailable. |
Filtering
Some API endpoints support filtering results on a specified set of fields. Each endpoint that supports filtering will list the fields that can be filtered. Multiple fields can be combined by using an ampersand & character.
Example: To get user with email john@demo.com:
api.sumologic.com/v1/users?email=john@demo.com
Sorting
Some API endpoints support sorting fields by using the sortBy query parameter. The default sort order is ascending. Prefix the field with a minus sign - to sort in descending order.
For example, to get 20 users sorted by their email in descending order:
api.sumologic.com/v1/users?limit=20&sort=-email
Asynchronous Request
Asynchronous requests do not wait for results, instead they immediately respond back with a job identifier while the job runs in the background. You can use the job identifier to track the status of the asynchronous job request. Here is a typical flow for an asynchronous request.
-
Start an asynchronous job. On success, a job identifier is returned. The job identifier uniquely identifies your asynchronous job.
-
Once started, use the job identifier from step 1 to track the status of your asynchronous job. An asynchronous request will typically provide an endpoint to poll for the status of asynchronous job. A successful response from the status endpoint will have the following structure:
{
"status": "Status of asynchronous request",
"statusMessage": "Optional message with additional information in case request succeeds",
"error": "Error object in case request fails"
}
The status field can have one of the following values:
1. Success: The job succeeded. The statusMessage field might have additional information.
2. InProgress: The job is still running.
3. Failed: The job failed. The error field in the response will have more information about the failure.
- Some asynchronous APIs may provide a third endpoint (like export result) to fetch the result of an asynchronous job.
Example
Let's say we want to export a folder with the identifier 0000000006A2E86F. We will use the async export API to export all the content under the folder with id=0000000006A2E86F.
- Start an export job for the folder
curl -X POST -u "<accessId>:<accessKey>" https://api.<deployment>.sumologic.com/api/v2/content/0000000006A2E86F/export
See authentication section for more details about accessId, accessKey, and
deployment.
On success, you will get back a job identifier. In the response below, C03E086C137F38B4 is the job identifier.
{
"id": "C03E086C137F38B4"
}
- Now poll for the status of the asynchronous job with the status endpoint.
curl -X GET -u "<accessId>:<accessKey>" https://api.<deployment>.sumologic.com/api/v2/content/0000000006A2E86F/export/C03E086C137F38B4/status
You may get a response like
{
"status": "InProgress",
"statusMessage": null,
"error": null
}
It implies the job is still in progress. Keep polling till the status is either Success or Failed.
- When the asynchronous job completes (
status != "InProgress"), you can fetch the results with the export result endpoint.
curl -X GET -u "<accessId>:<accessKey>" https://api.<deployment>.sumologic.com/api/v2/content/0000000006A2E86F/export/C03E086C137F38B4/result
The asynchronous job may fail (status == "Failed"). You can look at the error field for more details.
{
"status": "Failed",
"errors": {
"code": "content1:too_many_items",
"message": "Too many objects: object count(1100) was greater than limit 1000"
}
}
Rate Limiting
- A rate limit of four API requests per second (240 requests per minute) applies to all API calls from a user.
- A rate limit of 10 concurrent requests to any API endpoint applies to an access key.
If a rate is exceeded, a rate limit exceeded 429 status code is returned.
Generating Clients
You can use OpenAPI Generator to generate clients from the YAML file to access the API.
Using NPM
- Install NPM package wrapper globally, exposing the CLI on the command line:
npm install @openapitools/openapi-generator-cli -g
You can see detailed instructions here.
- Download the YAML file and save it locally. Let's say the file is saved as
sumologic-api.yaml. - Use the following command to generate
pythonclient inside thesumo/client/pythondirectory:
openapi-generator generate -i sumologic-api.yaml -g python -o sumo/client/python
Using Homebrew
- Install OpenAPI Generator
brew install openapi-generator
- Download the YAML file and save it locally. Let's say the file is saved as
sumologic-api.yaml. - Use the following command to generate
pythonclient side code inside thesumo/client/pythondirectory:
openapi-generator generate -i sumologic-api.yaml -g python -o sumo/client/python
Operations
List all access keys.
Delete an access key.
Update an access key.
Rotate the access key secret
List personal keys.
Create an access key.
Get all scopes.
Get the owner of an account.
Get overview of the account status.
Delete the configured subdomain.
Get the configured subdomain.
Create account subdomain.
Update account subdomain.
Recover subdomains for a user.
Get report generation status.
Export credits usage details as CSV.
Get usage forecast with respect to last number of days specified.
List available apps.
App install job status.
Get an app by UUID.
Install an app by UUID.
List ingestion jobs for all Archive Sources.
Get ingestion jobs for an Archive Source.
Delete an ingestion job.
Create an ingestion job.
Delete budget
Get budget
Update budget
Get budget usage
Get budgets
Creates a budget definition
Get budget usages
Get a list of connections.
Delete a connection.
Get a connection.
Update a connection.
Get incident templates for CloudSOAR connections.
Create a new connection.
Test a new connection url.
List all dashboard report schedules.
Schedule dashboard report
Delete dashboard report schedule.
Get dashboard report schedule.
Update dashboard report schedule.
Get a list of Data Deletion Rules
Cancel the data Deletion Rule with the given Id.
Delete the data Deletion Rule with the given Id.
Get Data Deletion Rule information for the given Id.
Create a new Data Deletion Rule
Get a list of dynamic parsing rules.
Delete a dynamic parsing rule.
Get a dynamic parsing rule.
Update a dynamic parsing rule.
Create a new dynamic parsing rule.
Get a list of field extraction rules.
Delete a field extraction rule.
Get a field extraction rule.
Update a field extraction rule.
Create a new field extraction rule.
Get a list of built-in fields.
Get a built-in field.
Get a list of dropped fields.
Get a list of all custom fields.
Delete a custom field.
Disable a custom field.
Enable custom field with a specified identifier.
Get a custom field.
Create a new field.
Get capacity information.
Get a list of health events.
Health events for specific resources.
Get Amazon S3 data forwarding destinations.
Delete an S3 data forwarding destination.
Get an S3 data forwarding destination.
Update an S3 data forwarding destination.
Create an S3 data forwarding destination.
Get all S3 data forwarding rules.
Delete an S3 data forwarding rule by its index.
Get an S3 data forwarding rule by its index.
Update an S3 data forwarding rule by its index.
Create an S3 data forwarding rule.
Gets estimated usage details.
Gets estimated usage details per metering type.
Gets Tier Wise estimated usage details.
Gets estimated usage details per view.
List all saved log searches.
Delete the saved log search.
Get the saved log search.
Update the saved log Search.
Save a log search.
Delete a lookup table.
Delete a lookup table row.
Get a lookup table.
Edit a lookup table.
Insert or Update a lookup table row.
Empty a lookup table.
Upload a CSV file.
Get the status of an async job.
Create a lookup table.
Run metrics queries
Deletes a metrics search.
Get a metrics search.
Updates a metrics search.
Save a metrics search.
Bulk delete a monitor or folder.
Disable monitors.
Bulk read a monitor or folder.
Copy a monitor or folder.
Delete a monitor or folder.
Export a monitor or folder.
Get a monitor or folder.
Move a monitor or folder.
Get the path of a monitor or folder.
List explicit permissions on monitor or folder.
List permission summaries for a monitor or folder.
Update a monitor or folder.
Import a monitor or folder.
Read a monitor or folder by its path.
Revoke all permissions on monitor or folder.
Set permissions on monitor or folder.
List all playbooks.
Get playbook details.
Create a monitor or folder.
Get the root monitors folder.
Search for a monitor or folder.
Usage info of monitors.
Bulk delete a mutingschedule or folder.
Bulk read a mutingschedule or folder.
Copy a mutingschedule or folder.
Delete a mutingschedule or folder.
Export a mutingschedule or folder.
Get a mutingschedule or folder.
Get the path of a mutingschedule or folder.
Update a mutingschedule or folder.
Import a mutingschedule or folder.
Create a mutingschedule or folder.
Get the root mutingSchedules folder.
Search for a mutingschedule or folder.
Get usages for child orgs.
Delete an OT Collector.
Get OT Collector by ID.
Delete all Offline OT Collectors
Get OT Collectors by name.
Get paginated list of OT Collectors
Get a count of OT Collectors.
Bulk delete folders and parsers.
Bulk read folders and parsers.
Copy a folder or parser.
Delete a folder or parser.
Export a folder or parser.
Read a folder or parser.
Lock a folder or a parser.
Move a folder or parser.
Get full path of folder or parser.
Update a folder or parser.
Unlock a folder or a parser.
Import a folder or parser
Read a folder or parser by its path.
Create a folder or parser.
Get the root folder in the library.
Search for folders or parsers.
Get a list of partitions.
Cancel a retention update for a partition
Decommission a partition.
Get a partition.
Update a partition.
Create a new partition.
Provides information about partitions quota.
Get the current password policy.
Update password policy.
Delete the pending plan update request, if any.
Get the pending plan update request, if any.
Get access key lifetime policy.
Set access keys lifetime policy.
Get Audit policy.
Set Audit policy.
Get Data Access Level policy.
Set Data Access Level policy.
Get Data Deletion policy.
Set Data Deletion policy.
Get Max User Session Timeout policy.
Set Max User Session Timeout policy.
Get Search Audit policy.
Set Search Audit policy.
Get Share Dashboards Outside Organization policy.
Set Share Dashboards Outside Organization policy.
Get User Concurrent Sessions Limit policy.
Set User Concurrent Sessions Limit policy.
Get a list of roles.
Delete a role.
Get a role.
Update a role.
Create a new role.
Remove role from a user.
Assign a role to a user.
Get list of allowlisted users.
Remove an allowlisted user.
Allowlist a user.
Get a list of SAML configurations.
Delete a SAML configuration.
Get SAML configuration metadata XML.
Update a SAML configuration.
Create a new SAML configuration.
Disable SAML lockdown.
Require SAML for sign-in.
Get a list of scheduled views.
Disable a scheduled view.
Get a scheduled view.
Pause a scheduled view.
Update a scheduled view.
Start a scheduled view.
Create a new scheduled view.
Provides information about scheduled views quota.
Get schema base identities grouped by type and sorted by version.
List SCIM Users
Delete SCIM User
Get a SCIM User
Update SCIM User Attributes
Update SCIM User
Create SCIM User
Get a list of service accounts.
Delete a service account.
Get a service account.
Update a service account.
Create a new service account.
Delete an access key of a service account.
Get an access key of a service account.
Update an access key of a service account.
List access keys for a service account.
Create a new access key for a service account.
Allowlist CIDRs/IP addresses.
List all allowlisted CIDRs/IP addresses.
Remove allowlisted CIDRs/IP addresses.
Disable service allowlisting.
Enable service allowlisting.
Get the allowlisting status.
Bulk delete a slo or folder.
Bulk read a slo or folder.
Copy a slo or folder.
Delete a slo or folder.
Export a slo or folder.
Get a slo or folder.
Move a slo or folder.
Get the path of a slo or folder.
Update a slo or folder.
Import a slo or folder.
Read a slo or folder by its path.
Create a slo or folder.
Get the root slos folder.
Search for a slo or folder.
Bulk fetch SLI values, error budget remaining and SLI computation status for the current compliance period.
Usage info of SLOs.
Return all source templates of a customer.
Get linked source templates update based on the ot-collector tags user is wants to update.
Delete a Source Template.
get a Source Template by Id.
Update source Template.
Update status of source template
Create source Template.
Lock a folder or a parser.
Unlock a folder or a parser.
Updates source properties
Remove the threat intel indicators DB
Get threat intel indicators DB information
Removes indicators by their IDS
Uploads indicators in a Sumo normalized format.
Uploads indicators in a STIX 2.x json format.
Get threat intel indicators store retention period in terms of days.
Set the threat intel indicators store retention period in terms of days.
Get a list of tokens.
Delete a token.
Get a token.
Update a token.
Create a token.
Get trace search query metrics.
Get a service map.
Get span analytics query filter field values.
Get filter fields for span analytics queries.
Run a span analytics query asynchronously.
Get span analytics query aggregated results.
Cancel a span analytics query.
Pause a span analytics query.
Resume a span analytics query.
Get a list of facets of a span analytics query.
Get results of a span analytics query.
Get a span analytics query status.
Get trace search query filter field values.
Get filter fields for trace search queries.
Run a trace search query asynchronously.
Cancel a trace search query.
Get results of a trace search query.
Get a trace search query status.
Get a critical path service breakdown of a trace.
Get a critical path of a trace.
Check if the trace exists.
Get trace details.
Get a list of trace spans.
Get span billing details.
Get span details.
Get a list of events (without their attributes) per span for a trace.
Get a list of transformation rules.
Delete a transformation rule.
Get a transformation rule.
Update a transformation rule.
Create a new transformation rule.
Upgrade source Template.
Get a list of users.
Delete a user.
Change email address.
Get a user.
Disable MFA for user.
Reset password.
Update a user.
Resend verification email.
Unlock a user.
Create a new user.
List apps
App install job status
App uninstall job status
App upgrade job status
Get details of an app version.
Start app install job
Unsubscribe from an app upgrade notification
Get subscription status for the user
Subscribe to an app upgrade notification
Start app uninstall job
Start app upgrade job
Content export job result.
Content export job status.
Get path of an item.
Schedule Admin Recommended folder job
Get Admin Recommended folder job result
Get Admin Recommended folder job status
Content import job result.
Content import job status.
Start a content import job.
Schedule Global View job
Get Global View job result
Get Global View job status
Get a folder.
Update a folder.
Schedule Installed Apps folder job
Get Installed Apps folder job result
Get Installed Apps folder job status
Get personal folder.
Create a new folder.
Content copy job status.
Start a content copy job.
Start a content deletion job.
Content deletion job status.
Start a content export job.
Move an item.
Add permissions to a content item.
Get permissions of a content item
Remove permissions from a content item.
Get content item by path.
List all dashboards.
Delete a dashboard.
Get a dashboard.
Update a dashboard.
Get dashboard migration result.
Get dashboard migration status.
Migrate Legacy Dashboards to Dashboards(New)
Preview of Migrating Legacy Dashboards to Dashboards(New)
Create a new dashboard.
Get report generation job result
Get report generation job status
Start a report job
Get a list of ingest budgets.
Delete an ingest budget.
Get an ingest budget.
Update an ingest budget.
Reset usage.
Create a new ingest budget.
List all metrics search pages.
Delete a metrics search page.
Get a metrics search page.
Update a metrics search page.
Create a new metrics search page.
Get a list of roles.
Delete a role.
Get a role.
Update a role.
Create a new role.
Remove role from a user.
Assign a role to a user.