API Reference
Complete API reference documentation for the Central Monitoring API.
Contents
API References
Browse all available endpoints with detailed schemas, examples, and responses:
Logs
V1
Deprecation Notice
The V1 logs endpoints (/v1/logs/scroll, /v1/logs/batch, and /v1/logs/batch/status) will be deprecated on March 1, 2026. Please migrate to the V2 endpoints.
POST /v1/logs/batch
Description: Recommended for queries retrieving > 100,000 logs. Returns a token to access presigned URLs containing batches of logs.
Request Body:
{
"application": "quasar",
"app_type": "caas",
"domain": "example.domain.com",
"time_range": "now-15m/m",
"size": 1000,
"filters": {"status": "error"}
}
Required Fields:
application(string): Name of the monitored application. Options: "atr", "klewer", "eventops", "quasar"time_range(string): Time range in OpenSearch format (e.g., 'now-15m/m')
Optional Fields:
app_type(string): Type of application environment. Options: "ec2", "caas"domain(string): Domain name of the monitored environmentsize(integer): Maximum number of results to return per requestfilters(object): JSON object containing additional key-value filterslog_group(string): Log group for EventOpstenant(string): Tenant identifier for EventOpsstage(string): Stage identifier for EventOps
Response (200):
{
"logs": [
{
"domain": "example.domain.com",
"time_range": "now-15m/m"
}
],
"token": "czpcL1wvY29nb",
"daily_requests_remaining": 480
}
Error Response (400):
{
"status_code" : 400
"detail": "Invalid application type. Must be one of: atr, klewer, eventops, quasar"
}
POST /v1/logs/batch/urls
Description: Use token from Batch API response to retrieve presigned URLs for S3 buckets containing batches of logs.
Request Body:
{
"token": "1OTk3LCJpc3MiOi"
}
Required Fields:
token(string): Access token for batch log retrieval
Response (200):
{
"presigned_urls": [
{
"presigned_url": "https://cm-api-logs-prod.s3.amazonaws.com/logs-domain-name?AWSAccessKeyId=...",
"time_range": "string",
"ready": true,
"status": "completed"
}
]
}
Error Response (401):
{
"status_code" : 401
"detail": "Invalid or missing token"
}
POST /v1/logs/scroll
Description: Recommended for queries retrieving < 100,000 logs. Retrieve logs using cursor-based pagination with the returned scrollId.
Request Body:
{
"application": "atr",
"app_type": "caas",
"domain": "example.domain.com",
"time_range": "now-15m/m",
"size": 1000,
"filters": {"message": "cluster down"}
}
Required Fields:
application(string): Name of the monitored application. Options: "atr", "klewer", "eventops", "quasar"time_range(string): Time range in OpenSearch format (e.g., 'now-15m/m')
Optional Fields:
app_type(string): Type of application environment. Options: "ec2", "caas"domain(string): Domain name of the monitored environmentsize(integer): Maximum number of results to return per requestfilters(object): JSON object containing additional key-value filtersscroll_id(string): Identifier used for paginated scrolling through large datasetslog_group(string): Log group for EventOpstenant(string): Tenant identifier for EventOpsstage(string): Stage identifier for EventOps
Response (200):
{
"logs": [
{
"domain": "example.domain.com",
"time_range": "now-15m/m"
}
],
"scroll_id": "DXF1ZXJ5QW5vbmU=",
"has_more": true,
"daily_requests_remaining": 480
}
Error Response (400):
{
"status_code" : 400
"detail": "Invalid application type. Must be one of: atr, klewer, eventops, quasar"
}
V2
POST /v2/logs/scroll
Description: Recommended for queries retrieving < 100,000 logs. Retrieve logs using cursor-based pagination with the returned scroll_id.
Request Body (EC2/Kubernetes):
{
"application": "atr",
"app_type": "kubernetes",
"start_time": "2026-01-19T00:00:00Z",
"end_time": "2026-01-19T23:59:59Z",
"size": 100,
"domain": ["domain1.com", "domain2.com"],
"fields": ["timestamp", "message", "level"]
}
Request Body (Serverless):
{
"application": "eventops",
"app_type": "serverless",
"start_time": "2026-01-19T00:00:00Z",
"end_time": "2026-01-19T23:59:59Z",
"size": 100,
"log_group": ["*"],
"tenant": ["tenant1"],
"stage": ["prod"],
"fields": ["@timestamp", "logLevel", "message", "request.user_id", "request.endpoint", "response.status_code"],
"filters": [
{
"exists": {
"field": "user.id"
}
}
]
}
Request Body (Pagination):
{
"scroll_id": "previous_scroll_id_here"
}
Required Fields (Initial Request):
application(string): Name of the monitored application. Options: "atr", "klewer", "eventops", "quasar"start_time(string): Start time in ISO 8601 format (e.g., "2026-01-19T00:00:00Z" or "2026-01-19T00:00:00.000Z")end_time(string): End time in ISO 8601 formatapp_type(string): Application type. Options: "ec2", "kubernetes", "serverless"size(integer): Number of results to return (must be > 0)
Plus these depending on app_type:
- For
serverless(requiresapplication="eventops"):log_group(array): List of log groups or["*"]for alltenant(array): List of tenants or["*"]for allstage(array): List of stages or["*"]for all
- For
ec2/kubernetes:domain(array): List of domain names or["*"]for all
Optional Fields:
filters(array): List of OpenSearch filter objects to apply. See OpenSearch Query DSL for full syntax. Supported filter types:term- Exact match on a fieldterms- Match any of multiple valuesrange- Numeric or date range queriesexists- Check if a field existsbool- Combine filters with nested logic (must, should, must_not)match/match_phrase- Full-text search
fields(array): List of fields to include in response (if not provided, all fields are included)scroll_id(string): For pagination (when provided, only this field is required and all others become optional)
Special Rules:
- App Type Restrictions:
serverless→ must useapplication="eventops"+ requireslog_group,tenant,stageec2/kubernetes→ cannot useapplication="eventops"+ requiresdomain
- Wildcard Usage:
- When using
"*"in arrays, it must be the only element:["*"] - Cannot mix wildcard with other values:
["*", "something"]
- When using
- Scroll ID Requests:
- If
scroll_idis provided, all other fields become optional - Used for pagination to get next batch of results
- If
Sample Response (200):
{
"data": {
"logs": [
{
"_index": "logs-application-2026-01",
"_id": "abc123xyz",
"_score": 1.0,
"_source": {
"...": "Log content varies by application"
}
},
{
"_index": "logs-application-2026-01",
"_id": "def456uvw",
"_score": 1.0,
"_source": {
"...": "Log content varies by application"
}
}
],
"count": 3595
},
"meta": {
"api_version": "v2",
"time_range": {
"start": "2026-01-19T00:00:00Z",
"end": "2026-01-19T23:59:59Z"
},
"rate_limit": {
"daily_remaining": 47
},
"request_id": "10615c94-d835-413e-ad3f-57c5a4c2276b",
"scroll_id": "FGluY2x1ZGVfY29udGV4hYmMxMjN4eXpkZWY0NTZ1dnd..."
}
}
Response Fields:
data.logs(array): Array of log objects_index(string): OpenSearch index name_id(string): Unique log identifier_score(number): Relevance score_source(object): Log content - fields vary by application and log type
data.count(integer): Total number of logs matching the querymeta.api_version(string): API versionmeta.time_range(object): Query time rangemeta.rate_limit.daily_remaining(integer): Remaining API calls for the daymeta.request_id(string): Unique request identifiermeta.scroll_id(string): Pagination token for retrieving next batch of results
POST /v2/logs/batch
Description: Recommended for queries retrieving > 100,000 logs. Returns a token to access presigned URLs containing batches of logs.
Usage Flow:
- Call
/v2/logs/batch→ Get a token - Call
/v2/logs/batch/statuswith the token → Check status and get download URLs - Poll periodically - each partition can be downloaded when it shows
completed: true - Download logs from the presigned URLs
Request Body (EC2/Kubernetes):
{
"application": "atr",
"app_type": "kubernetes",
"start_time": "2026-01-19T00:00:00Z",
"end_time": "2026-01-19T23:59:59Z",
"domain": ["domain1.com", "domain2.com"],
"fields": ["timestamp", "message", "level"]
}
Request Body (Serverless):
{
"application": "eventops",
"app_type": "serverless",
"start_time": "2026-01-19T00:00:00Z",
"end_time": "2026-01-19T23:59:59Z",
"log_group": ["*"],
"tenant": ["tenant1"],
"stage": ["prod"],
"fields": ["@timestamp", "logLevel", "function_name", "request.method"],
"filters": [
{"term": {"message.keyword": "KeyError occurred"}},
{"term": {"function_memory_size": "1024"}}
]
}
Required Fields:
start_time(string): Start time in ISO 8601 format (e.g., "2026-01-19T00:00:00Z" or "2026-01-19T00:00:00.000Z")end_time(string): End time in ISO 8601 formatapplication(string): Application name. Options: "atr", "klewer", "eventops", "quasar"app_type(string): Application type. Options: "ec2", "kubernetes", "serverless"
Plus these depending on app_type:
- For
serverless:log_group(array): List of log groups or["*"]for alltenant(array): List of tenants or["*"]for allstage(array): List of stages or["*"]for all
- For
ec2/kubernetes:domain(array): List of domain names or["*"]for all
Optional Fields:
filters(array): List of OpenSearch filter objects to apply. See OpenSearch Query DSL for full syntax. Supported filter types:term- Exact match on a fieldterms- Match any of multiple valuesrange- Numeric or date range queriesexists- Check if a field existsbool- Combine filters with nested logic (must, should, must_not)match/match_phrase- Full-text search
fields(array): List of fields to include in response (if not provided, all fields are included)
Special Rules:
- App Type Restrictions:
serverless→ requireslog_group,tenant,stageec2/kubernetes→ requiresdomain
- Wildcard Usage:
- When using
"*"in arrays, it must be the only element:["*"] - Cannot mix wildcard with other values:
["*", "something"]
- When using
Response (200):
{
"data": {
"token": "a6EBWDj2yr5v1UUG"
},
"meta": {
"api_version": "v2",
"time_range": {
"start": "2026-01-20T03:35:03.399316Z",
"end": "2026-01-20T06:55:03.399316Z"
},
"rate_limit": {
"daily_remaining": 49
},
"request_id": "dbfc4889-a1da-40d0-8dc9-3e08ef3e913c",
"app_type": "kubernetes",
"domain": ["*"]
}
}
Response Fields:
data.token(string): Access token for retrieving presigned URLs via/v2/logs/batch/statusmeta.api_version(string): API versionmeta.time_range(object): Query time rangemeta.rate_limit.daily_remaining(integer): Remaining API calls for the daymeta.request_id(string): Unique request identifiermeta.app_type(string): Application type from the requestmeta.domain(array): Domain(s) from the request (present for ec2/kubernetes requests)meta.log_group(array): Log group(s) from the request (present for serverless requests)meta.tenant(array): Tenant(s) from the request (present for serverless requests)meta.stage(array): Stage(s) from the request (present for serverless requests)
POST /v2/logs/batch/status
Description: Use token from /v2/logs/batch response to retrieve presigned URLs for S3 buckets containing batches of logs.
Usage Flow:
- Call
/v2/logs/batch→ Get a token - Call
/v2/logs/batch/statuswith the token → Check status and get download URLs - Poll periodically - each partition can be downloaded when it shows
completed: true - Download logs from the presigned URLs
Request Body:
{
"token": "Paw21VHC3VxAs7F4"
}
Required Fields:
token(string): Token from the batch request
Request Validation:
- Token is trimmed of whitespace
- Empty or whitespace-only tokens are rejected
Response (200):
{
"presigned_urls": [
{
"start_time": "2026-01-20T03:52:06.960046Z",
"end_time": "2026-01-20T07:12:06.960046Z",
"log_count": 1234,
"presigned_url": "https://s3.amazonaws.com/...",
"completed": true,
"status": "completed"
}
]
}
Response Fields:
presigned_urls(array): Contains one object per partitionstart_time(string): Start time of this partition's time rangeend_time(string): End time of this partition's time rangelog_count(integer): Number of logs in this partition (0 if none)presigned_url(string): S3 presigned URL to download the logs (or "null" if not ready)completed(boolean): Indicates if this partition is ready for downloadstatus(string): Status of the partition (e.g., "completed", "processing", "pending")
POST /v2/logs/aggs
Description: Retrieve aggregated statistics and analytics from logs using OpenSearch aggregation queries. Supports terms aggregations, histograms, metrics, and nested aggregations.
Request Body (EC2/Kubernetes):
{
"application": "atr",
"app_type": "kubernetes",
"start_time": "2026-01-19T00:00:00Z",
"end_time": "2026-01-19T23:59:59Z",
"domain": ["domain1.com", "domain2.com"],
"aggs": {
"log_levels": {
"terms": {
"field": "regex.extractions.logLevel",
"size": 10
}
},
"logs_over_time": {
"date_histogram": {
"field": "@timestamp",
"fixed_interval": "1h"
}
}
}
}
Request Body (Serverless):
{
"application": "eventops",
"app_type": "serverless",
"start_time": "2026-01-19T00:00:00Z",
"end_time": "2026-01-19T23:59:59Z",
"log_group": ["*"],
"tenant": ["tenant1"],
"stage": ["prod"],
"aggs": {
"event_origins": {
"terms": {
"field": "event.origin",
"size": 20
}
},
"error_count": {
"filter": {
"term": {
"logLevel": "ERROR"
}
}
}
}
}
Required Fields:
application(string): Name of the monitored application. Options: "atr", "klewer", "eventops", "quasar"start_time(string): Start time in ISO 8601 format (e.g., "2026-01-19T00:00:00Z" or "2026-01-19T00:00:00.000Z")end_time(string): End time in ISO 8601 formatapp_type(string): Application type. Options: "ec2", "kubernetes", "serverless"aggs(object): OpenSearch aggregation definition (must contain at least one aggregation)
Plus these depending on app_type:
- For
serverless:log_group(array): List of log groups or["*"]for alltenant(array): List of tenants or["*"]for allstage(array): List of stages or["*"]for all
- For
ec2/kubernetes:domain(array): List of domain names or["*"]for all
Aggregation Types:
The aggs field accepts any valid OpenSearch aggregation. Common types include:
- Terms Aggregation - Group by field values:
"aggs": {
"by_field": {
"terms": {
"field": "field_name",
"size": 10
}
}
}
- Date Histogram - Group by time intervals:
"aggs": {
"over_time": {
"date_histogram": {
"field": "@timestamp",
"fixed_interval": "1h"
}
}
}
- Filter Aggregation - Count documents matching criteria:
"aggs": {
"error_logs": {
"filter": {
"term": {
"logLevel": "ERROR"
}
}
}
}
- Nested Aggregations - Combine multiple aggregations:
"aggs": {
"by_domain": {
"terms": {
"field": "atr.domain_name",
"size": 10
},
"aggs": {
"by_level": {
"terms": {
"field": "regex.extractions.logLevel",
"size": 5
}
}
}
}
}
- Filter with Sub-aggregations - Analyze subset of data:
"aggs": {
"error_analysis": {
"filter": {
"term": {
"regex.extractions.logLevel": "ERROR"
}
},
"aggs": {
"hourly_errors": {
"date_histogram": {
"field": "@timestamp",
"fixed_interval": "1h"
}
}
}
}
}
See OpenSearch Aggregations for full syntax.
Special Rules:
- App Type Restrictions:
serverless→ requireslog_group,tenant,stageec2/kubernetes→ requiresdomain
- Wildcard Usage:
- When using
"*"in arrays, it must be the only element:["*"] - Cannot mix wildcard with other values:
["*", "something"]
- When using
- Time Range:
end_timemust be afterstart_time- No maximum time range limit
Sample Response (200):
{
"data": {
"aggregations": {
"log_levels": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"key": "WARN",
"doc_count": 117315928
},
{
"key": "INFO",
"doc_count": 33176681
},
{
"key": "ERROR",
"doc_count": 107146
}
]
},
"logs_over_time": {
"buckets": [
{
"key_as_string": "2026-01-19T00:00:00.000Z",
"key": 1737244800000,
"doc_count": 45231
},
{
"key_as_string": "2026-01-19T01:00:00.000Z",
"key": 1737248400000,
"doc_count": 52187
}
]
}
},
"total_documents": 269456123
},
"meta": {
"api_version": "v2",
"time_range": {
"start": "2026-01-19T00:00:00Z",
"end": "2026-01-19T23:59:59Z"
},
"rate_limit": {
"daily_remaining": 999
},
"request_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"application": "atr",
"app_type": "kubernetes",
"domain": ["domain1.com", "domain2.com"]
}
}
Response Fields:
data.aggregations(object): Aggregation results - structure varies based on your aggregation definition- For terms aggregations: Contains
bucketsarray withkeyanddoc_count - For date histograms: Contains
bucketsarray withkey_as_string,key, anddoc_count - For filter aggregations: Contains
doc_countnumber - For nested aggregations: Contains nested aggregation results
- For terms aggregations: Contains
data.total_documents(integer): Total number of logs matching the query (before aggregation)meta.api_version(string): API versionmeta.time_range(object): Query time rangemeta.rate_limit.daily_remaining(integer): Remaining API calls for the daymeta.request_id(string): Unique request identifiermeta.application(string): Application name from requestmeta.app_type(string): Application type from requestmeta.domain(array): Domain filter (for non-serverless)meta.log_group(array): Log group filter (for serverless)meta.tenant(array): Tenant filter (for serverless)meta.stage(array): Stage filter (for serverless)
Workloads
V2
POST /v2/workloads/scroll
Description: Recommended for queries retrieving < 100,000 workloads. Retrieve workloads using cursor-based pagination with the returned scroll_id.
Request Body (EC2):
{
"application": "atr",
"app_type": "ec2",
"start_time": "2026-01-19T00:00:00Z",
"end_time": "2026-01-19T23:59:59Z",
"domain": ["domain1.com", "domain2.com"],
"size": 100,
"fields": ["timestamp", "workload_id", "status"],
"filters": [
{
"bool": {
"must": [
{"term": {"ticket.type": "SR_TASK"}},
{"term": {"workload.trigger": "TICKET"}}
],
"must_not": [
{"term": {"workload.state": "FAILED"}}
]
}
}
]
}
Request Body (Kubernetes):
{
"application": "atr",
"app_type": "kubernetes",
"start_time": "2026-01-19T00:00:00Z",
"end_time": "2026-01-19T23:59:59Z",
"domain": ["*"],
"size": 50,
"filters": [
{
"terms": {
"workflow.name": ["Incident_Response_Workflow", "Scheduled_Maintenance_Workflow"]
}
}
]
}
Request Body (Pagination):
{
"scroll_id": "DnF1ZXJ5VGhlbkZldGNoAwAAAAAAAAABFmtQN..."
}
Required Fields (Initial Request):
application(string): Application name. Only "atr" is supportedstart_time(string): Start time in ISO 8601 format (e.g., "2026-01-19T00:00:00Z" or "2026-01-19T00:00:00.000Z")end_time(string): End time in ISO 8601 formatapp_type(string): Application type. Options: "ec2", "kubernetes"domain(array): List of domain names or["*"]for all (cannot be empty)
Optional Fields:
size(integer): Number of results to return (must be > 0)filters(array): List of OpenSearch filter objects to apply. See OpenSearch Query DSL for full syntax. Supported filter types:term- Exact match on a fieldterms- Match any of multiple valuesrange- Numeric or date range queriesexists- Check if a field existsbool- Combine filters with nested logic (must, should, must_not)match/match_phrase- Full-text search
fields(array): List of fields to include in response (if not provided, all fields are included)scroll_id(string): For pagination (when provided, only this field is required and all others become optional)
Special Rules:
- Application Restrictions:
- Only
"atr"is supported for workloads - No serverless support (only
"ec2"and"kubernetes")
- Only
- Domain Field:
- Must be a list of strings
- Cannot be empty
- When using
"*"in arrays, it must be the only element:["*"] - Cannot mix wildcard with other values:
["*", "domain1"]
- Scroll ID Requests:
- If
scroll_idis provided, all other fields become optional - Used for pagination to get next batch of results
- If
Sample Response (200):
{
"data": {
"workloads": [
{
"_index": "workloads-atr-2026-01",
"_id": "wl-abc123",
"_score": 1.0,
"_source": {
"...": "Workload content varies by application"
}
}
],
"count": 50
},
"meta": {
"api_version": "v2",
"time_range": {
"start": "2026-01-20T03:52:06.960046Z",
"end": "2026-01-20T07:12:06.960046Z"
},
"rate_limit": {
"daily_remaining": 48
},
"request_id": "3a5f1229-ccef-4fcb-be27-98fd88e950c7",
"app_type": "kubernetes",
"domain": ["domain1.com", "domain2.com"],
"scroll_id": "DnF1ZXJ5VGhlbkZldGNo...",
"workloads_available": 150
}
}
Response Fields:
data.workloads(array): Array of workload objects_index(string): OpenSearch index name_id(string): Unique workload identifier_score(number): Relevance score_source(object): Workload content - fields vary by application and workload type
data.count(integer): Number of workloads returned in this responsemeta.api_version(string): API versionmeta.time_range(object): Query time rangemeta.rate_limit.daily_remaining(integer): Remaining API calls for the daymeta.request_id(string): Unique request identifiermeta.app_type(string): Application type from requestmeta.domain(array): List of domains queriedmeta.scroll_id(string): Pagination token (present when more results available)meta.workloads_available(integer): Total workloads available (optional)
POST /v2/workloads/batch
Description: Recommended for queries retrieving > 100,000 workloads. Returns a token to access presigned URLs containing batches of workloads.
Usage Flow:
- Call
/v2/workloads/batch→ Get a token - Call
/v2/workloads/batch/statuswith the token → Check status and get download URLs - Poll periodically - each partition can be downloaded when it shows
completed: true - Download workloads from the presigned URLs
Request Body (Minimal):
{
"application": "atr",
"app_type": "ec2",
"start_time": "2026-01-19T00:00:00Z",
"end_time": "2026-01-19T23:59:59Z",
"domain": ["domain1.com", "domain2.com"]
}
Request Body (With Filters):
{
"application": "atr",
"app_type": "kubernetes",
"start_time": "2026-01-19T00:00:00Z",
"end_time": "2026-01-19T23:59:59Z",
"domain": ["*"],
"filters": [
{
"bool": {
"must": [
{"term": {"ticket.type": "SR_TASK"}},
{"term": {"workload.trigger": "TICKET"}}
],
"must_not": [
{"term": {"workload.state": "FAILED"}}
]
}
}
]
}
Request Body (With Field Selection):
{
"application": "atr",
"app_type": "kubernetes",
"start_time": "2026-01-19T00:00:00Z",
"end_time": "2026-01-19T23:59:59Z",
"domain": ["domain1.com"],
"fields": ["timestamp", "workload_id", "status", "workflow.name"]
}
Required Fields:
application(string): Application name. Only "atr" is supportedstart_time(string): Start time in ISO 8601 format (e.g., "2026-01-19T00:00:00Z" or "2026-01-19T00:00:00.000Z")end_time(string): End time in ISO 8601 formatapp_type(string): Application type. Options: "ec2", "kubernetes"domain(array): List of domain names or["*"]for all (cannot be empty)
Optional Fields:
filters(array): List of OpenSearch filter objects to apply. See OpenSearch Query DSL for full syntax. Supported filter types:term- Exact match on a fieldterms- Match any of multiple valuesrange- Numeric or date range queriesexists- Check if a field existsbool- Combine filters with nested logic (must, should, must_not)match/match_phrase- Full-text search
fields(array): List of fields to include in response (if not provided, all fields are included)
Special Rules:
- Application Restrictions:
- Only
"atr"is supported for workloads - No serverless support (only
"ec2"and"kubernetes")
- Only
- Domain Field:
- Must be a list of strings
- Cannot be empty
- When using
"*"in arrays, it must be the only element:["*"] - Cannot mix wildcard with other values:
["*", "domain1"]
Response (200):
{
"data": {
"token": "Paw21VHC3VxAs7F4"
},
"meta": {
"api_version": "v2",
"time_range": {
"start": "2026-01-20T03:52:06.960046Z",
"end": "2026-01-20T07:12:06.960046Z"
},
"rate_limit": {
"daily_remaining": 48
},
"request_id": "3a5f1229-ccef-4fcb-be27-98fd88e950c7",
"app_type": "kubernetes",
"domain": ["domain1.com", "domain2.com"]
}
}
Response Fields:
data.token(string): Access token for retrieving presigned URLs via/v2/workloads/batch/statusmeta.api_version(string): API versionmeta.time_range(object): Query time rangemeta.rate_limit.daily_remaining(integer): Remaining API calls for the daymeta.request_id(string): Unique request identifiermeta.app_type(string): Application type from the requestmeta.domain(array): Domain(s) from the request
POST /v2/workloads/batch/status
Description: Use token from /v2/workloads/batch response to retrieve presigned URLs for S3 buckets containing batches of workloads.
Usage Flow:
- Call
/v2/workloads/batch→ Get a token - Call
/v2/workloads/batch/statuswith the token → Check status and get download URLs - Poll periodically - each partition can be downloaded when it shows
completed: true - Download workloads from the presigned URLs
Request Body:
{
"token": "Paw21VHC3VxAs7F4"
}
Required Fields:
token(string): Token from the batch request (must be non-empty)
Request Validation:
- Token is trimmed of whitespace
- Empty or whitespace-only tokens are rejected
Response (200):
{
"presigned_urls": [
{
"start_time": "2026-01-21T08:00:00Z",
"end_time": "2026-01-21T14:00:00Z",
"workload_count": 1523,
"presigned_url": "https://s3.amazonaws.com/...",
"completed": true,
"status": "completed"
},
{
"start_time": "2026-01-21T14:00:00Z",
"end_time": "2026-01-21T20:00:00Z",
"workload_count": 892,
"presigned_url": "null",
"completed": false,
"status": "processing"
}
]
}
Response Fields:
presigned_urls(array): Contains one object per partitionstart_time(string): Start time of this partition's time rangeend_time(string): End time of this partition's time rangeworkload_count(integer): Number of workloads in this partitionpresigned_url(string): S3 presigned URL to download the workloads (or "null" if not ready)completed(boolean): Indicates if this partition is ready for downloadstatus(string): Status of the partition (e.g., "completed", "processing", "failed")
Not Found Response (404):
{
"message": "No record of this token. Note: Tokens expire after 2 hours"
}
Validation Error (400):
{
"error": "Invalid input",
"details": "field required: token"
}
POST /v2/workloads/aggs
Description: Retrieve aggregated statistics and analytics from workloads using OpenSearch aggregation queries. Supports terms aggregations, histograms, metrics, and nested aggregations for analyzing workflow execution patterns.
Request Body:
{
"application": "atr",
"app_type": "kubernetes",
"start_time": "2026-01-19T00:00:00Z",
"end_time": "2026-01-19T23:59:59Z",
"domain": ["domain1.com", "domain2.com"],
"aggs": {
"by_workflow": {
"terms": {
"field": "workflow.name",
"size": 20
}
},
"by_domain": {
"terms": {
"field": "atr.domain_name",
"size": 10
}
},
"over_time": {
"date_histogram": {
"field": "@timestamp",
"fixed_interval": "1h"
}
}
}
}
Request Body (with filter):
{
"application": "atr",
"app_type": "kubernetes",
"start_time": "2025-01-01T00:00:00Z",
"end_time": "2026-01-28T23:59:59Z",
"domain": ["*"],
"aggs": {
"incident_workflow_count": {
"filter": {
"term": {
"workflow.name": "Incident_Response_Workflow"
}
}
},
"workflow_distribution": {
"terms": {
"field": "workflow.name",
"size": 50
}
}
}
}
Required Fields:
application(string): Name of the monitored application. Options: "atr"start_time(string): Start time in ISO 8601 format (e.g., "2026-01-19T00:00:00Z" or "2026-01-19T00:00:00.000Z")end_time(string): End time in ISO 8601 formatapp_type(string): Application type. Options: "ec2", "kubernetes"domain(array): List of domain names or["*"]for all domainsaggs(object): OpenSearch aggregation definition (must contain at least one aggregation)
Aggregation Types:
The aggs field accepts any valid OpenSearch aggregation. Common types include:
- Terms Aggregation - Group by field values:
"aggs": {
"by_workflow": {
"terms": {
"field": "workflow.name",
"size": 20
}
}
}
- Date Histogram - Group by time intervals:
"aggs": {
"over_time": {
"date_histogram": {
"field": "@timestamp",
"fixed_interval": "1d"
}
}
}
- Filter Aggregation - Count documents matching criteria:
"aggs": {
"specific_workflow": {
"filter": {
"term": {
"workflow.name": "Data_Processing_Workflow"
}
}
}
}
- Nested Aggregations - Combine multiple aggregations:
"aggs": {
"by_domain": {
"terms": {
"field": "atr.domain_name",
"size": 10
},
"aggs": {
"by_workflow": {
"terms": {
"field": "workflow.name",
"size": 5
}
}
}
}
}
- Filter with Sub-aggregations - Analyze subset of data:
"aggs": {
"incident_analysis": {
"filter": {
"term": {
"workflow.name": "Incident_Response_Workflow"
}
},
"aggs": {
"daily_counts": {
"date_histogram": {
"field": "@timestamp",
"fixed_interval": "1d"
}
}
}
}
}
See OpenSearch Aggregations for full syntax.
Special Rules:
- Wildcard Usage:
- When using
"*"in domain array, it must be the only element:["*"] - Cannot mix wildcard with other values:
["*", "something"]
- When using
- Time Range:
end_timemust be afterstart_time- No maximum time range limit
Sample Response (200):
{
"data": {
"aggregations": {
"by_workflow": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 125000,
"buckets": [
{
"key": "Incident_Response_Workflow",
"doc_count": 3126831
},
{
"key": "Scheduled_Maintenance_Workflow",
"doc_count": 1048182
},
{
"key": "Data_Enrichment_Workflow",
"doc_count": 745352
}
]
},
"by_domain": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"key": "domain1.com",
"doc_count": 2500000
},
{
"key": "domain2.com",
"doc_count": 1800000
}
]
},
"over_time": {
"buckets": [
{
"key_as_string": "2026-01-19T00:00:00.000Z",
"key": 1737244800000,
"doc_count": 125000
},
{
"key_as_string": "2026-01-19T01:00:00.000Z",
"key": 1737248400000,
"doc_count": 132000
}
]
}
},
"total_documents": 5234567
},
"meta": {
"api_version": "v2",
"time_range": {
"start": "2026-01-19T00:00:00Z",
"end": "2026-01-19T23:59:59Z"
},
"rate_limit": {
"daily_remaining": 999
},
"request_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"app_type": "kubernetes",
"domain": ["domain1.com", "domain2.com"]
}
}
Response Fields:
data.aggregations(object): Aggregation results - structure varies based on your aggregation definition- For terms aggregations: Contains
bucketsarray withkeyanddoc_count - For date histograms: Contains
bucketsarray withkey_as_string,key, anddoc_count - For filter aggregations: Contains
doc_countnumber - For nested aggregations: Contains nested aggregation results
- For terms aggregations: Contains
data.total_documents(integer): Total number of workloads matching the query (before aggregation)meta.api_version(string): API versionmeta.time_range(object): Query time rangemeta.rate_limit.daily_remaining(integer): Remaining API calls for the daymeta.request_id(string): Unique request identifiermeta.app_type(string): Application type from requestmeta.domain(array): Domain filter from request
Common Fields for Workloads:
workflow.name- Workflow identifieratr.domain_name- Domain nameatr.infra_type- Infrastructure type (kubernetes, ec2)@timestamp- Timestamp of workload executionstatus- Workload status (if available)
Billing
V1
POST /v1/query
Description: Query billing data for a specific domain.
Request Body:
{
"domain": "example.domain.com",
"time_range": "now-15m/m"
}
Required Fields:
domain(string): Domain name of the monitored environmenttime_range(string): Time range in OpenSearch format (e.g., 'now-15m/m')
Response (200):
{
"summary": {
"ticket_count": 125,
"domain": "example.domain.com",
"time_range": "now-15m/m",
"client": "CMClient",
"live_status": "active",
"WBS": "1234ABCD",
"created": "2025-11-11T12:00:00Z",
"infra_type": "EC2",
"billing_type": "monthly",
"point_of_contact": "team@example.com"
},
"daily_requests_remaining": 480
}
Error Response (400):
{
"status_code" : 400
"detail": "Invalid input. Missing domain variable in payload"
}
Rate Limits
The API implements daily request limits to ensure safe usage:
- Each successful response includes a
daily_requests_remainingfield - Monitor this value to track your remaining quota
- Rate limit exceeded requests return HTTP 429 status
Authentication
All endpoints require JWT authentication. Include your token in the Authorization header.
For detailed authentication setup and examples, see Authentication.