Navigating between cluster resources and observable signals.

Overview

Observable resources produce many kinds of signal - logs, metrics, traces, alerts and others. Each type of signal can have its own distinct data model, naming conventions, query language, and storage. This makes it difficult to navigate relationships between cluster resources and the signals they generate.

Korrel8r is a rule based correlation engine, with an extensible rule set, that can navigate
↳ many types of signal and resource data
↳ using diverse schema, data models and naming conventions
↳ queried using diverse query languages
↳ stored in multiple stores with diverse query APIs

Each type of signal or resource is represented by a domain . Korrel8r can be extended to handle new signals and resources by adding new domains.

Relationships within and between domains are expressed as rules.

Korrel8r generates logical relationship graphs that are intended to be processed or displayed by other tools. There is a brief video demo. In the video, Korrel8r is generating the graphs that are shown in the panel on the right hand side.

The OpenTelemetry project defines a standard vocabulary for describing several types of signal. Korrel8r works with OpenTelemetry but does not require it. See About OpenTelemetry for more.

About domains

A korrel8r domain represents one type of signal or resource. Available domains are described in the Domain Reference.

Each domain defines the following abstractions, allowing Korrel8r to treat domains uniformly:

Object

A data type representing an instance of the domain’s signal or resource, for example a log record or a serialized Kubernetes resource. Korrel8r does not distinguish between signals and resources, they are correlated in the same way.

Store

A service that can be queried for objects. A domain provides one or more types of store. Each store represents a storage service like the Kubernetes API server, Prometheus, Loki or others.

Class

A named class of objects represented by the same data structure. A class name is a string of the form domain:class. Many domains have only one class, for example trace:span. Others have multiple classes. The [_k8s_domain] domain has a class for each kind of kubernetes resource, for example k8s:Pod and k8s:DaemonSet

Query

A string of the form domain:class:selector which selects a set of objects from a store. Korrel8r does not define a query language, selectors use the native query language of the store. For example, a [_trace_domain] query ussing TraceQL:
trace:span:{.k8s.namespace.name="foobar"}

About rules

Rules express relationships between classes, possibly in different domains.

Rules are templates that generate a goal query using data from a start object. The start and goal can be different classes, possibly from different domains. If a rule cannot be applied to an object it may return a blank string, or raise an error.

The set of rules forms a graph connecting all the classes of data that korrel8r knows about. Korrel8r works by traversing this graph: applying rules to some initial objects, executing the resulting queries, retrieving more objects and so on.

There are two types of search:

Goal search

Given a set of start objects and a goal class: find all paths from the start objects to objects in the goal class.

Neighbourhood search

Given a set of start objects and a depth N: find all objects reachable from the start objects in N steps or less.

About OpenTelemetry

The OpenTelemetry project (OTEL) defines a standard vocabulary for traces, metrics, and logs. The Korrel8r [_trace_domain] domain uses OTEL attributes, other OTEL-based domains may be added future.

As OTEL is adopted, it will provide a more consistent vocabulary for Korrel8r rules, but it does not replace Korrel8r:

  • There are still widely-deployed systems that do not use OTEL conventions. Korrel8r can bridge between OTEL and non-OTEL systems.

  • OTEL, by itself, does not provide any mechanism for describing or navigating relationships between signals and resources.

  • OTEL does not standardize query languages or store APIs, even for OTEL-compliant systems.

  • Korrel8r handles resource and signal types that are not included (yet) in the OTEL specification. For example k8s:Event or netflow:network events.

Running Korrel8r

Korrel8r usually runs as a cluster service with a REST API. It is used as a back-end for tools that display correlation results. For example, the Red Hat OpenShift console uses Korrel8r to implement its {troubleshoopting-panel}[troubleshooting panel].

It can also be run from the command line for development and testing.

See Configuration for details of configuring Korrel8r.

Korrel8r uses a Bearer Token to authenticate itself to stores.
When run as a server, it impersonates the client by copying the token from the incoming REST request.
On the command line it uses the current kubectl login, so you need to be logged in to the cluster.

In-cluster service

The Red Hat Cluster Observability Operator automatically installs and configures korrel8r on a Red Hat OpenShift cluster.

For testing and development you can also:

Deploy the latest from github.
oc apply -k github.com/korrel8r/korrel8r/config/?version=main
Deploy version X.Y.Z from github.
oc apply -k github.com/korrel8r/korrel8r/config/?version=vX.Y.Z
Use community operator from OperatorHub, look for

Korrel8r Community Tile

To connect to your service from outside the cluster, you can expose it with an 'ingress' or 'route'.

Create a korrel route on Red Hat OpenShift
oc apply -k github.com/korrel8r/korrel8r/config/route?version=main
HOST=$(oc get route/korrel8r -n korrel8r -o template={{.Spec.Host}}

You can use the Clients to test your service at $HOST.

Out-of-cluster service

Korrel8r can run outside the cluster, using routes or ingress URLs to connect to observability stores inside the cluster. This can be useful for development and testing.

Install korrel8r command
go install github.com/korrel8r/korrel8r/cmd/korrel8r@latest

Run korrel8r --help to get command line help.

Download configuration for a Red Hat OpenShift cluster.
curl -o korrel8r.yaml  https://raw.githubusercontent.com/korrel8r/korrel8r/main/etc/korrel8r/openshift-route.yaml
Run as a service outside the cluster on localhost port 8080, with informational logging.
korrel8r -v2 --config korrel8r.yaml web --http=localhost:8080

See Clients for ways to test your service at http://localhost:8080.

Clients

Once the Korrel8r service is running, there are several ways you can interact with the REST API.

  • Command line client korrel8rcli.

  • Use a generic REST request tool like {https://curl.se/[curl]}

All of the clients require a Bearer Token to authenticate with the cluster.
If you are logged in to a Red Hat OpenShift cluster you can find your bearer token like this:

oc whoami -t

korrel8rcli

korrel8rcli is a simple command-line client of the Korrel8r service. It is intended for development and experimentation. In production korrel8r normally functions as a back-end for a console or other visualization or analysis tool.

Install korrel8rcli
go install github.com/korrel8r/client/cmd/korrel8rcli@latest

Run korrel8rcli --help to get command line help.

If you are logged on to a cluster, korrel8rcli will automatically use your bearer token. You can also specify a token explicitly with the --bearer-token option.

In the following examples, replace http://korrel8r.example with the URL for your korrel8r service.

Domains
Get the list of domains and store status.
korrel8rcli -u http://korrel8r.example domains
Example output
- name: alert
  stores:
  - alertmanager: https://alertmanager-main.openshift-monitoring.svc:9094
    certificateAuthority: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
    domain: alert
    metrics: https://thanos-querier.openshift-monitoring.svc:9091
- name: k8s
  stores:
  - domain: k8s
- name: log
  stores:
  - certificateAuthority: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
    domain: log
    lokiStack: https://logging-loki-gateway-http.openshift-logging.svc:8080
- name: metric
  stores:
  - certificateAuthority: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
    domain: metric
    metric: https://thanos-querier.openshift-monitoring.svc:9091
- name: mock
  stores: null
- name: netflow
  stores:
  - certificateAuthority: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
    domain: netflow
    lokiStack: https://loki-gateway-http.netobserv.svc:8080
Neighbours
Get the neighbours graph of the korreler deployment
korrel8rcli -o json neighbours http://korrel8r.example --query 'k8s:Deployment:{namespace: korrel8r}'
Output is a JSON-encoded graph.
{"edges":[{"goal":"k8s:Pod/v1","start":"k8s:Deployment.apps/v1"},...
 "nodes":[{"class":"log:application","count":15,"queries":[...
Web browser
This tool is experimental, it may change or be dropped in future.
Run a web server to vizualize results.
korrel8rcli web -u http://korrel8r.example --addr :9090
View results in a browser.

Open localhost:9090 in a web browser. You can type a korrel8r query in the Start box, and a numeric depth (for neighbours) or korrel8r class name (for goal search). You should see a graph of the correlations, like this.

Screenshot
Figure 1. Example graph.

Using curl

You can use a generic REST client like {https://curl.se/[curl]} to interact with korrel8r.

You must provide a bearer token, for example:

curl --oauth2-bearer $(oc whoami -t) http://localhost:8080/api/v1alpha1/domains

Red Hat Openshift troubleshooting panel

Troubleshooting

You can increase the verbosity of korrel8r logging at run time using the config API.
Using korrel8rcli
korrel8rcli config --set-verbose=9
Using curl
curl --oauth2-bearer $(oc whoami -t) -X PUT http://localhost:8080/api/v1alpha1/config?verbose=9

Configuration

Korrel8r loads configuration from a file or URL specified by the --config option:

korrel8r --config <file_or_url>

The Korrel8r project provides example configuration files. You can download them or use them directly via URL.

openshift-route.yaml

Run korrel8r outside the cluster, connect to stores via routes:

openshift-svc.yaml

Used to run korrel8r as an In-cluster service, connect to stores via service URLs.

The configuration is a YAML file with the following sections:

include

Other configuration fragments to include.
include:
  - "path_or_url"

stores

Connections to data stores.
stores:
  - domain: "domain_name" (1)
    # Domain-specific fields (2)
1 Domain name of the store (required).
2 Domain-specific fields for connection parameters. See Domain Reference.

Every entry in the stores section has a domain field to identify the domain. Other fields depend on the domain, see Domain Reference.

Store fields may contain templates that expand to URLs.

Example: configuring a store URL from an Openshift Route resource.
stores:
  - domain: log
    lokiStack: <-
      {{$r := get "k8s:Route.route.openshift.io/v1:{namespace: openshift-logging, name: logging-loki}" -}} (1)
      https://{{ (first $r).Spec.Host -}} (2)
1 Get a list of routes in "openshift-logging" named "logging-loki".
2 Use the .Spec.Host field of the first route as the host for the store URL.

rules

Rules to relate different classes of data.
rules:
  - name: "rule_name" (1)
    start: (2)
      domain: "domain_name"
      classes:
        - "class_name"
    goal: (3)
      domain: "domain_name"
      classes:
        - "class_name"
    result:
      query: "query_template" (4)
1 Name identifies the rule in graphs and for debugging.
2 Start objects for this rule must belong to one of the classes in the domain.
3 Goal queries generated by this rule may must retrieve one of the classes in the domain.
4 Result queries are generated by executing the query {go-template}` with the start object as context.

Korrel8r comes with a comprehensive set of rules by default, but you can modify them or add your own.

A rule has the following key elements:

  • A set of start classes. The rule can apply to objects belonging to one of these classes.

  • A set of goal classes. The rule can generate queries for any of these classes.

  • A Go template to generate a goal query from a start object.

The query template should generate a string of the form:

<domain-name>:<class-name>:<query-details>

The query-details part depends on the domain, see Domain Reference

aliases

Short-hand alias names for groups of classes.
aliases:
  - name: "alias_name" (1)
    domain: "domain_name" (2)
    classes: (3)
      - "class_name"
1 Alias name can be used in rule definitions wherever a class name is allowed.
2 Domain for classes in this alias.
3 Classes belonging to this alias.

About Templates

Korrel8r rules and store configuration can include Go templates.

This is the same templat syntax as the kubectl command with the --output=template option.

Korrel8r provides additional template functions to simplify writing rules and configurations:

  • The sprig library of general purpose template functions is always available.

  • Some domains (for example the [_k8s_domain]) provide domain-specific functions, see the Domain Reference.

  • The following function is available for store configurations:

    query

    Takes a single argument, a korrel8r query string. Executes the query and returns the result as a []any. May return an error.

    Example: Query the k8s cluster for a route, extract the "host" field.
    {{(query "k8s:Route.route.openshift.io:{namespace: netobserv, name: loki}" | first).spec.host}}

Glossary

The terms used to discuss observability often have slightly different meanings in different contexts. This glossary clarifies how Korrel8r uses common terms.

OpenTelemetry means the definition matches how OpenTelemetry uses the term.
icon means the term has a specific meaning for Korrel8r.
class

icon See Overview

data model

OpenTelemetry Describes the data in a signal as a set of named fields. For example a log record might have a "body" field containing the original message, and a "timestamp" field containing the time it was produced.

domain

icon See About domains

object

icon See See Overview

query

icon See About domains

resource

OpenTelemetry A source of observable signals. Resources include nodes, pods, hosts and other entities that are described by signals. rule::icon See About rules

signal

icon A single data-item generated by some observable resource, for example a log record, cluster event, or metric time-series.

store

icon Has a special meaning for Korrel8, see Overview

Domain Reference

Reference details for the for the classes, objects, queries and stores of each available domain.

-e

Alert domain

Package alert provides Prometheus alerts, queries and access to Thanos and AlertManager stores.

Class

There is a single class alert:alert.

Object

An alert object is represented by this Go type. Rules starting from an alert should use the capitalized Go field names rather than the lowercase JSON names. Object

Query

A JSON map of string names to string values, matched against alert labels, for example:

alert:alert:{"alertname":"KubeStatefulSetReplicasMismatch","container":"kube-rbac-proxy-main","namespace":"openshift-logging"}

To query mutiple alerts at the same time, it’s possible to provide an array of maps:

alert:alert:[{"alertname":"alert1"},{"alertname":"alert2"}]

Store

A client of Prometheus and/or AlertManager. Store configuration:

domain: alert
metrics: PROMETHEUS_URL
alertmanager: ALERTMANAGER_URL

Either or both of metrics or alertmanager may be present.

Go Reference

-e = Incident domain

Package incident provides mapping to https://github.com/openshift/cluster-health-analyzer incidents.

Class

There is a single class incident:incident.

Object

An incident object contains id and mapping to the sources (alert is the only supported source type at the moment).

Query

One can query the incident by its id.

incident:incident:{"id":"id-of-the-incident"}

It’s also possible to provide labels from an alert to get a corresponding incident.

incident:incident:{"alertLabels":{
 "alertname":"AlertmanagerReceiversNotConfigured",
 "namespace":"openshift-monitoring"}}

Store

A client of Prometheus. Store configuration:

domain: incident
metrics: PROMETHEUS_URL

Go Reference

-e = K8s domain

Kubernetes resources stored in a Kube API server.

Class

Class represents a kind of kubernetes resource. The format of a class name is: "k8s:KIND\[.VERSION]\[.GROUP]".

Missing VERSION implies "v1", if present VERSION must follow the Kubernetes version patterns. Missing GROUP implies the core group.

Examples: k8s:Pod, ks8:Pod/v1, k8s:Deployment.apps, k8s:Deployment.apps/v1, k8s:Route.route.openshift.io/v1

Object

Object represents a kubernetes resource as a map, map keys are serialized field names. Rule templates should use the JSON (lowerCase) field names, NOT the UpperCase Go struct field names.

Query

Example:

k8s:Pod.v1:{"namespace":"openshift-cluster-version","name":"cluster-version-operator-8d86bcb65-btlgn"}

Store

The k8s domain automatically connects to the current cluster (as determined by kubectl), no additional configuration is needed.

 stores:
	  domain: k8s

Template Functions

The following template functions are available to rules.

k8sClass

Takes string arguments (apiVersion, kind). Returns the korrel8r.Class implied by the arguments, or an error.

Go Reference

-e = Log domain :logql: LogQL

Logs can be stored on the cluster in LokiStack or in an external Loki server. They can also be retrieved directly from the Kubernetes API server. Direct API server access does not provide long-term log storage, but it gives short-term access when there is no long term log store available.

Class

There are 3 classes corresponding to the 3 openshift logging log types:

  • log:application

  • log:infrastructure

  • log:audit

Object

A log object is a set of attributes in a map with string keys and values.
Attribute names contain only ASCII letters, digits, underscores, and (required for Loki labels). Other characters are replaced with "_".

For stored logs: Loki stream labels and structured metadata labels become attributes. If the log body is a JSON object, all nested field paths are flattened into attribute names.

For direct logs: the pod, namespace, and label meta-data are added as attributes using the same label names as for stored logs.

Special attributes:

  • body - original log message.

  • timestamp - time the log was produced, if known, in RFC3999 format.

  • observed_timestamp - time the log was first stored or recorded, in RFC3999 format.

Viaq and OTEL attributes

The openshift logging collector can store loges in two formats:

  • Viaq: legacy format with attributes like: "kubernetes_namespace_name", "kubernetes_pod_name"

  • OTEL: new standard format with attributes like: "k8s_namespace_name", "k8s_pod_name". Note the use of "_" rather than "." to give legal Loki label names. Otherwise these names are as given in the OTEL specification.

For stored logs, korrel8r returns whatever format has been stored in Loki. For direct logs, both Viaq and OTEL attributes are included to aid migration.

Query

A query starts with the log class, followed by one of the following:

  • A container selector: This can be used for stored logs and/or direct API log access.

  • A {LogQL} expression: LogQL queries can only be used to retrieve stored logs

Container selectors

A container selector is a JSON map of the form:

{
  "namespace": "pod_namespace",
  "name": "pod_name",
  "labels": { "label_name": "label_value", ... },
  "fields": { "field_name": "field_value", ... },
  "containers": ["container_name", "another_container_name", ...],
}

All fields are optional. For example: to get logs from containers named "foo" or "bar" in pods from namespace "app":

log:application:{ "namespace": "app", "containers":["foo", "bar"]}

If stored logs are available, the container selector is automatically translated into an equivalent LogQL expression.

LogQL queries

A LogQL query includes a literal {LogQL} expression, for example:

log:infrastructure:{kubernetes_namespace_name="openshift-cluster-version", kubernetes_pod_name=~".*-operator-.*"}

Viaq and OTEL

When translating container selectors into LogQL, Korrel8r currently uses Viaq attributes. This works with existing deployments and with the early support for OTEL logging, which include backaward-compatible Viaq labels.

Korrel8r will be updated to use OTEL directly in future.

Store Configuration

The store configuration must include domain: log. It may include an optional loki: URL or lokiStack: URL, but not both. It may include an optional direct: true to enable direct API server logs.

The default configuration is:

domain: log
lokiStack: https:url_of_default_lokiStack
direct: true

Korrel8r log queries will do the following:

  1. Try to connect to the loki/lokiStack URL and retrieve stored logs.

  2. If that fails, use the API server directly as an alternate.

You can also configure a store with only direct: true to use only API server access, or only loki or lokiStack to use only stored logs.

Template functions

The following functions can be used in rule templates when the log domain is available:

logTypeForNamespace

Takes a namespace string argument. Returns the log type: "application" or "infrastructure"

logSafeLabel

Replace all characters other than alphanumerics, '' and ':' with ''.

logSafeLabels

Takes a map[string]string argument. Returns a map where each key is replaced by the result of logSafeLabel

Go Reference

-e = Metric domain

Prometheus metric time-series.

Class

There is only one class: metric:metric

Object

A Metric is a time series identified by a label set. Korrel8r does not consider load the sample data for a time series, or use it in rules. If a korrel8r search time constraints, then metrics that have no values that meet the constraint are ignored.

Query

Query is a PromQL query string.

Korrel8r uses metric labels for correlation, it does not use time-series data values. The PromQL query is analyzed to identify series it uses, labels of those series are used for correlation.

Store

Prometheus is the store, store configuration:

domain: metric
metric: URL_OF_PROMETHEUS

Go Reference

-e = Netflow domain

Package netflow is a domain for network observability flow events stored in Loki or LokiStack.

Class

There is a single class netflow:network

Object

A log object is a JSON map\[string]any in NetFlow format.

Query

A query is a LogQL query string, prefixed by netflow:network:, for example:

netflow:network:{SrcK8S_Type="Pod", SrcK8S_Namespace="myNamespace"}

Store

To connect to a netflow lokiStack store use this configuration:

domain: netflow
lokistack: URL_OF_LOKISTACK_PROXY

To connect to plain loki store use:

domain: netflow
loki: URL_OF_LOKI

Go Reference

-e = Trace domain :copyright: This file is part of korrel8r, released under https://github.com/korrel8r/korrel8r/blob/main/LICENSE :description: Correlation of observability signal data :keywords: correlation, observability, resource, signal, kubernetes :icons: font :sectanchors: :sectlinks: :project: https://github.com/korrel8r/korrel8r :pages: https://korrel8r.github.io/korrel8r :raw-etc-korrel8r: https://raw.githubusercontent.com/korrel8r/korrel8r/main/etc/korrel8r :etc-korrel8r: https://github.com/korrel8r/korrel8r/blob/main/etc/korrel8r :korrel8r-help: xref:gen/cmd/korrel8r.adoc :korrel8rcli-help: xref:gen/cmd/korrel8rcli.adoc :otel-signals: https://opentelemetry.io/docs/concepts/signals/ :pkg-korrel8r: https://pkg.go.dev/github.com/korrel8/korrel8/pkg/korrel8 :curl: curl :goref-badge: image:https://pkg.go.dev/badge/github.com/korrel8r/korrel8r.svg :pkg-dev: https://pkg.go.dev/github.com/korrel8r/korrel8r/ :pkg-dev-domains: https://pkg.go.dev/github.com/korrel8r/korrel8r/pkg/domains :icon: icon :operator: Korrel8r Community Operator :otel-icon: OpenTelemetry :otel: OpenTelemetry :red-hat: Red Hat :rh-logging: logging subsystem for Red Hat OpenShift :rh-ocp: Red Hat OpenShift :rh-coo: Red Hat Cluster Observability Operator :go-templates: Go templates :sprig: sprig

Package trace implements OpenTelemetry traces stored in the Grafana Tempo data store.

Class

Class singleton trace:span representing an OpenTelemetry span

A trace is simply a set of spans with the same trace-id. There is no explicit class or object representing a trace.

Object

Object represents an OpenTelemetry span

A trace is simply a set of spans with the same trace-id. There is no explicit class or object representing a trace.

Query

Query selector has two forms: a TraceQL query string, or a list of trace IDs.

A TraceQL query selects spans from many traces that match the query criteria. Example:

`trace:span:{resource.k8s.namespace.name="korrel8r"}`

A trace-id query is a list of hexadecimal trace IDs. It returns all the spans included by each trace. Example:

`trace:span:a7880cc221e84e0d07b15993358811b7,b7880cc221e84e0d07b15993358811b7

Store

The trace domain accepts an optional "tempostack" field with a URL for tempostack. If absent, connect to the default location for the trace store on an Openshift cluster.

stores:
  domain: trace
  tempostack: "https://url-of-tempostack"

korrel8r

Korrel8r REST API

Introduction

Generate graphs showing correlations between resources and observability signals in a cluster.

Endpoints

Configure

setConfig

PUT /config

Change configuration settings at runtime.

Description

Modify selected configuration settings (e.g. log verbosity) on a running service.

Parameters
Query Parameters
Name Description Required Default Pattern

verbose

Verbose setting for logging.

-

null
Return Type

-

Responses
Table 1. HTTP Response Codes
Code Message Datatype

200

OK

<<>>
Samples

Correlate

graphGoals

POST /graphs/goals

Create a correlation graph from start objects to goal queries.

Description

Specify a set of start objects, as queries or serialized objects, and a goal class. Returns a graph containing all paths leading from a start object to a goal object.

Parameters
Body Parameter
Name Description Required Default Pattern

request

Search from start to goal classes. Goals

X
Query Parameters
Name Description Required Default Pattern

options

-

null
Return Type

Graph

Content Type

  • application/json

Responses
Table 2. HTTP Response Codes
Code Message Datatype

200

OK

Graph

206

interrupted, partial result

Graph

400

invalid parameters

Error

404

result not found

Error
Samples

graphNeighbours

POST /graphs/neighbours

Create a neighbourhood graph around a start object to a given depth.

Description

Specify a set of start objects, as queries or serialized objects, and a depth for the neighbourhood search. Returns a graph of all paths with depth or less edges leading from start objects.

Parameters
Body Parameter
Name Description Required Default Pattern

request

Search from start for neighbours. Neighbours

X
Query Parameters
Name Description Required Default Pattern

options

-

null
Return Type

Graph

Content Type

  • application/json

Responses
Table 3. HTTP Response Codes
Code Message Datatype

200

OK

Graph

206

interrupted, partial result

Graph

400

invalid parameters

Error

404

result not found

Error
Samples

listGoals

POST /lists/goals

Create a list of goal nodes related to a starting point.

Description

Specify a set of start objects, as queries or serialized objects, and a goal class. Returns a list of all objects of the goal class that can be reached from a start object.

Parameters
Body Parameter
Name Description Required Default Pattern

request

search from start to goal classes Goals

X
Return Type

array[Node]

Content Type

  • application/json

Responses
Table 4. HTTP Response Codes
Code Message Datatype

200

OK

List[Node]

400

invalid parameters

Error

404

result not found

Error
Samples

Query

listDomains

GET /domains

Get the list of correlation domains.

Description

Returns a list of Korrel8r domains and the stores configured for each domain.

Parameters
Return Type

array[Domain]

Content Type

  • application/json

Responses
Table 5. HTTP Response Codes
Code Message Datatype

200

OK

List[Domain]

400

invalid parameters

Error

404

result not found

Error
Samples

query

GET /objects

Execute a query, returns a list of JSON objects.

Description

Execute a single Korrel8r 'query' and return the list of serialized objects found. Does not perform any correlation actions.

Parameters
Query Parameters
Name Description Required Default Pattern

query

Query string.

X

null

/:[^:]:[^:]+/
Return Type

[List]

Content Type

  • application/json

Responses
Table 6. HTTP Response Codes
Code Message Datatype

200

OK

List[[AnyType]]

400

invalid parameters

Error

404

result not found

Error
Samples

Models

Constraint

Constrains the objects that will be included in search results.

Field Name Required Nullable Type Description Format

start

Date

Ignore objects with timestamps before this start time.

date-time

end

Date

Ignore objects with timestamps after this end time.

date-time

limit

Integer

Limit total number of objects per query.

timeout

String

Give up on requests to data stores if they take longer than this duration.

duration

Domain

Domain configuration information.

Field Name Required Nullable Type Description Format

name

X

String

Name of the domain.

stores

List of Store

Stores configured for the domain.

Edge

Directed edge in the result graph, from Start to Goal classes.

Field Name Required Nullable Type Description Format

start

X

String

Class name of the start node.

goal

X

String

Class name of the goal node.

rules

List of Rule

Set of rules followed along this edge.

Error

Error result containing an error message.

Field Name Required Nullable Type Description Format

error

X

String

Error message.

Goals

Starting point for a goals search.

Field Name Required Nullable Type Description Format

goals

X

List of [string]

Goal classes for correlation.

start

X

Start

Graph

Graph resulting from a correlation search.

Field Name Required Nullable Type Description Format

edges

List of Edge

List of graph edges.

nodes

List of Node

List of graph nodes.

GraphOptions

Options controlling the form of the returned graph.

Field Name Required Nullable Type Description Format

rules

Boolean

Include rule names in graph edges.

zeros

Boolean

Include queries that returned no results.

Neighbours

Starting point for a neighbours search.

Field Name Required Nullable Type Description Format

depth

X

Integer

Max depth of neighbours graph.

start

X

Start

Node

Node in the result graph, contains results for a single class.

Field Name Required Nullable Type Description Format

class

X

String

Full class name

count

Integer

Number of results for this class, after de-duplication.

queries

List of QueryCount

Queries yielding results for this class.

QueryCount

Query with number of results.

Field Name Required Nullable Type Description Format

count

Integer

Number of results, omitted if the query was not executed.

query

X

String

Query for correlation data.

Rule

Rule is a correlation rule with a list of queries and results counts found during navigation.

Field Name Required Nullable Type Description Format

name

X

String

Name is an optional descriptive name.

queries

List of QueryCount

Queries generated while following this rule.

Start

Start identifies a set of starting objects for correlation.

Field Name Required Nullable Type Description Format

class

String

Class of starting objects and queries.

constraint

Constraint

Constrain the objects that will be returned.

objects

List of [map]

Objects serialized as JSON.

queries

List of [string]

Queries for starting objects

Store

Store is a map string keys and values used to connect to a store.

Field Name Required Nullable Type Description Format