Navigating between cluster resources and observable signals.
Overview
Observable resources produce many kinds of signal - logs, metrics, traces, alerts and others. Each type of signal can have its own distinct data model, naming conventions, query language, and storage. This makes it difficult to navigate relationships between cluster resources and the signals they generate.
Korrel8r is a rule based correlation engine, with an extensible rule set, that can navigate
↳ many types of signal and resource data
↳ using diverse schema, data models and naming conventions
↳ queried using diverse query languages
↳ stored in multiple stores with diverse query APIs
Each type of signal or resource is represented by a domain . Korrel8r can be extended to handle new signals and resources by adding new domains.
Relationships within and between domains are expressed as rules.
Korrel8r generates logical relationship graphs that are intended to be processed or displayed by other tools. There is a brief video demo. In the video, Korrel8r is generating the graphs that are shown in the panel on the right hand side.
The OpenTelemetry project defines a standard vocabulary for describing several types of signal. Korrel8r works with OpenTelemetry but does not require it. See About OpenTelemetry for more. |
About domains
A korrel8r domain represents one type of signal or resource. Available domains are described in the Domain Reference.
Each domain defines the following abstractions, allowing Korrel8r to treat domains uniformly:
- Object
-
A data type representing an instance of the domain’s signal or resource, for example a log record or a serialized Kubernetes resource. Korrel8r does not distinguish between signals and resources, they are correlated in the same way.
- Store
-
A service that can be queried for objects. A domain provides one or more types of store. Each store represents a storage service like the Kubernetes API server, Prometheus, Loki or others.
- Class
-
A named class of objects represented by the same data structure. A class name is a string of the form
domain:class
. Many domains have only one class, for example trace:span. Others have multiple classes. The [_k8s_domain] domain has a class for each kind of kubernetes resource, for examplek8s:Pod
andk8s:DaemonSet
- Query
-
A string of the form
domain:class:selector
which selects a set of objects from a store. Korrel8r does not define a query language, selectors use the native query language of the store. For example, a [_trace_domain] query ussing TraceQL:
trace:span:{.k8s.namespace.name="foobar"}
About rules
Rules express relationships between classes, possibly in different domains.
Rules are templates that generate a goal query using data from a start object. The start and goal can be different classes, possibly from different domains. If a rule cannot be applied to an object it may return a blank string, or raise an error.
The set of rules forms a graph connecting all the classes of data that korrel8r knows about. Korrel8r works by traversing this graph: applying rules to some initial objects, executing the resulting queries, retrieving more objects and so on.
There are two types of search:
- Goal search
-
Given a set of start objects and a goal class: find all paths from the start objects to objects in the goal class.
- Neighbourhood search
-
Given a set of start objects and a depth N: find all objects reachable from the start objects in N steps or less.
About OpenTelemetry
The OpenTelemetry project (OTEL) defines a standard vocabulary for traces, metrics, and logs. The Korrel8r [_trace_domain] domain uses OTEL attributes, other OTEL-based domains may be added future.
As OTEL is adopted, it will provide a more consistent vocabulary for Korrel8r rules, but it does not replace Korrel8r:
-
There are still widely-deployed systems that do not use OTEL conventions. Korrel8r can bridge between OTEL and non-OTEL systems.
-
OTEL, by itself, does not provide any mechanism for describing or navigating relationships between signals and resources.
-
OTEL does not standardize query languages or store APIs, even for OTEL-compliant systems.
-
Korrel8r handles resource and signal types that are not included (yet) in the OTEL specification. For example k8s:Event or netflow:network events.
Running Korrel8r
Korrel8r usually runs as a cluster service with a REST API. It is used as a back-end for tools that display correlation results. For example, the Red Hat OpenShift console uses Korrel8r to implement its {troubleshoopting-panel}[troubleshooting panel].
It can also be run from the command line for development and testing.
See Configuration for details of configuring Korrel8r.
Korrel8r uses a Bearer Token to authenticate itself to stores. When run as a server, it impersonates the client by copying the token from the incoming REST request. On the command line it uses the current kubectl login, so you need to be logged in to the cluster. |
In-cluster service
The Red Hat Cluster Observability Operator automatically installs and configures korrel8r on a Red Hat OpenShift cluster.
For testing and development you can also:
oc apply -k github.com/korrel8r/korrel8r/config/?version=main
oc apply -k github.com/korrel8r/korrel8r/config/?version=vX.Y.Z
To connect to your service from outside the cluster, you can expose it with an 'ingress' or 'route'.
oc apply -k github.com/korrel8r/korrel8r/config/route?version=main
HOST=$(oc get route/korrel8r -n korrel8r -o template={{.Spec.Host}}
You can use the Clients to test your service at $HOST
.
Out-of-cluster service
Korrel8r can run outside the cluster, using routes or ingress URLs to connect to observability stores inside the cluster. This can be useful for development and testing.
go install github.com/korrel8r/korrel8r/cmd/korrel8r@latest
Run korrel8r --help
to get command line help.
curl -o korrel8r.yaml https://raw.githubusercontent.com/korrel8r/korrel8r/main/etc/korrel8r/openshift-route.yaml
korrel8r -v2 --config korrel8r.yaml web --http=localhost:8080
See Clients for ways to test your service at http://localhost:8080
.
Clients
Once the Korrel8r service is running, there are several ways you can interact with the REST API.
-
Command line client
korrel8rcli
. -
Use a generic REST request tool like {https://curl.se/[curl]}
All of the clients require a Bearer Token to authenticate with the cluster.
|
korrel8rcli
korrel8rcli
is a simple command-line client of the Korrel8r service.
It is intended for development and experimentation.
In production korrel8r normally functions as a back-end for a console or other visualization or analysis tool.
go install github.com/korrel8r/client/cmd/korrel8rcli@latest
Run korrel8rcli --help
to get command line help.
If you are logged on to a cluster, korrel8rcli will automatically use your bearer token.
You can also specify a token explicitly with the --bearer-token
option.
In the following examples, replace http://korrel8r.example
with the URL for your korrel8r service.
Domains
korrel8rcli -u http://korrel8r.example domains
- name: alert
stores:
- alertmanager: https://alertmanager-main.openshift-monitoring.svc:9094
certificateAuthority: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
domain: alert
metrics: https://thanos-querier.openshift-monitoring.svc:9091
- name: k8s
stores:
- domain: k8s
- name: log
stores:
- certificateAuthority: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
domain: log
lokiStack: https://logging-loki-gateway-http.openshift-logging.svc:8080
- name: metric
stores:
- certificateAuthority: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
domain: metric
metric: https://thanos-querier.openshift-monitoring.svc:9091
- name: mock
stores: null
- name: netflow
stores:
- certificateAuthority: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
domain: netflow
lokiStack: https://loki-gateway-http.netobserv.svc:8080
Neighbours
korrel8rcli -o json neighbours http://korrel8r.example --query 'k8s:Deployment:{namespace: korrel8r}'
{"edges":[{"goal":"k8s:Pod/v1","start":"k8s:Deployment.apps/v1"},...
"nodes":[{"class":"log:application","count":15,"queries":[...
Web browser
This tool is experimental, it may change or be dropped in future. |
korrel8rcli web -u http://korrel8r.example --addr :9090
Open localhost:9090
in a web browser.
You can type a korrel8r query in the Start
box, and a numeric depth (for neighbours) or korrel8r class name (for goal search).
You should see a graph of the correlations, like this.

Using curl
You can use a generic REST client like {https://curl.se/[curl]} to interact with korrel8r.
You must provide a bearer token, for example:
curl --oauth2-bearer $(oc whoami -t) http://localhost:8080/api/v1alpha1/domains
Troubleshooting
You can increase the verbosity of korrel8r logging at run time using the
|
korrel8rcli config --set-verbose=9
curl --oauth2-bearer $(oc whoami -t) -X PUT http://localhost:8080/api/v1alpha1/config?verbose=9
Configuration
Korrel8r loads configuration from a file or URL specified by the --config
option:
korrel8r --config <file_or_url>
The Korrel8r project provides example configuration files. You can download them or use them directly via URL.
- openshift-route.yaml
-
Run korrel8r outside the cluster, connect to stores via routes:
- openshift-svc.yaml
-
Used to run korrel8r as an In-cluster service, connect to stores via service URLs.
The configuration is a YAML file with the following sections:
include
include:
- "path_or_url"
stores
stores:
- domain: "domain_name" (1)
# Domain-specific fields (2)
1 | Domain name of the store (required). |
2 | Domain-specific fields for connection parameters. See Domain Reference. |
Every entry in the stores
section has a domain
field to identify the domain.
Other fields depend on the domain, see Domain Reference.
Store fields may contain templates that expand to URLs.
stores:
- domain: log
lokiStack: <-
{{$r := get "k8s:Route.route.openshift.io/v1:{namespace: openshift-logging, name: logging-loki}" -}} (1)
https://{{ (first $r).Spec.Host -}} (2)
1 | Get a list of routes in "openshift-logging" named "logging-loki". |
2 | Use the .Spec.Host field of the first route as the host for the store URL. |
rules
rules:
- name: "rule_name" (1)
start: (2)
domain: "domain_name"
classes:
- "class_name"
goal: (3)
domain: "domain_name"
classes:
- "class_name"
result:
query: "query_template" (4)
1 | Name identifies the rule in graphs and for debugging. |
2 | Start objects for this rule must belong to one of the classes in the domain . |
3 | Goal queries generated by this rule may must retrieve one of the classes in the domain . |
4 | Result queries are generated by executing the query {go-template}` with the start object as context. |
Korrel8r comes with a comprehensive set of rules by default, but you can modify them or add your own.
A rule has the following key elements:
-
A set of start classes. The rule can apply to objects belonging to one of these classes.
-
A set of goal classes. The rule can generate queries for any of these classes.
-
A Go template to generate a goal query from a start object.
The query template should generate a string of the form:
<domain-name>:<class-name>:<query-details>
The query-details part depends on the domain, see Domain Reference
aliases
aliases:
- name: "alias_name" (1)
domain: "domain_name" (2)
classes: (3)
- "class_name"
1 | Alias name can be used in rule definitions wherever a class name is allowed. |
2 | Domain for classes in this alias. |
3 | Classes belonging to this alias. |
About Templates
Korrel8r rules and store configuration can include Go templates.
This is the same templat syntax as the kubectl command with the --output=template option.
|
Korrel8r provides additional template functions to simplify writing rules and configurations:
-
The sprig library of general purpose template functions is always available.
-
Some domains (for example the [_k8s_domain]) provide domain-specific functions, see the Domain Reference.
-
The following function is available for store configurations:
- query
-
Takes a single argument, a korrel8r query string. Executes the query and returns the result as a
[]any
. May return an error.Example: Query the k8s cluster for a route, extract the "host" field.{{(query "k8s:Route.route.openshift.io:{namespace: netobserv, name: loki}" | first).spec.host}}
Glossary
The terms used to discuss observability often have slightly different meanings in different contexts. This glossary clarifies how Korrel8r uses common terms.
|
- class
-
See Overview
- data model
-
Describes the data in a signal as a set of named fields. For example a log record might have a "body" field containing the original message, and a "timestamp" field containing the time it was produced.
- domain
-
See About domains
- object
-
See See Overview
- query
-
See About domains
- resource
-
A source of observable signals. Resources include nodes, pods, hosts and other entities that are described by signals. rule::
See About rules
- signal
-
A single data-item generated by some observable resource, for example a log record, cluster event, or metric time-series.
- store
-
Has a special meaning for Korrel8, see Overview
Domain Reference
Reference details for the for the classes, objects, queries and stores of each available domain.
-e
Alert domain
Package alert provides Prometheus alerts, queries and access to Thanos and AlertManager stores.
Class
There is a single class alert:alert
.
Object
An alert object is represented by this Go type. Rules starting from an alert should use the capitalized Go field names rather than the lowercase JSON names. Object
Query
A JSON map of string names to string values, matched against alert labels, for example:
alert:alert:{"alertname":"KubeStatefulSetReplicasMismatch","container":"kube-rbac-proxy-main","namespace":"openshift-logging"}
To query mutiple alerts at the same time, it’s possible to provide an array of maps:
alert:alert:[{"alertname":"alert1"},{"alertname":"alert2"}]
Store
A client of Prometheus and/or AlertManager. Store configuration:
domain: alert metrics: PROMETHEUS_URL alertmanager: ALERTMANAGER_URL
Either or both of metrics
or alertmanager
may be present.
-e = Incident domain
Package incident provides mapping to https://github.com/openshift/cluster-health-analyzer incidents.
Class
There is a single class incident:incident
.
Object
An incident object contains id and mapping to the sources (alert is the only supported source type at the moment).
Query
One can query the incident by its id.
incident:incident:{"id":"id-of-the-incident"}
It’s also possible to provide labels from an alert to get a corresponding incident.
incident:incident:{"alertLabels":{ "alertname":"AlertmanagerReceiversNotConfigured", "namespace":"openshift-monitoring"}}
Store
A client of Prometheus. Store configuration:
domain: incident metrics: PROMETHEUS_URL
-e = K8s domain
Kubernetes resources stored in a Kube API server.
Class
Class represents a kind of kubernetes resource. The format of a class name is: "k8s:KIND\[.VERSION]\[.GROUP]".
Missing VERSION implies "v1", if present VERSION must follow the Kubernetes version patterns. Missing GROUP implies the core group.
Examples: k8s:Pod
, ks8:Pod/v1
, k8s:Deployment.apps
, k8s:Deployment.apps/v1
, k8s:Route.route.openshift.io/v1
Object
Object represents a kubernetes resource as a map, map keys are serialized field names. Rule templates should use the JSON (lowerCase) field names, NOT the UpperCase Go struct field names.
Query
Example:
k8s:Pod.v1:{"namespace":"openshift-cluster-version","name":"cluster-version-operator-8d86bcb65-btlgn"}
Store
The k8s domain automatically connects to the current cluster (as determined by kubectl), no additional configuration is needed.
stores: domain: k8s
Template Functions
The following template functions are available to rules.
- k8sClass
-
Takes string arguments (apiVersion, kind). Returns the korrel8r.Class implied by the arguments, or an error.
-e = Log domain :logql: LogQL
Logs can be stored on the cluster in LokiStack or in an external Loki server. They can also be retrieved directly from the Kubernetes API server. Direct API server access does not provide long-term log storage, but it gives short-term access when there is no long term log store available.
Class
There are 3 classes corresponding to the 3 openshift logging log types:
-
log:application
-
log:infrastructure
-
log:audit
Object
A log object is a set of attributes in a map with string keys and values.
Attribute names contain only ASCII letters, digits, underscores, and (required for Loki labels).
Other characters are replaced with "_".
For stored logs: Loki stream labels and structured metadata labels become attributes. If the log body is a JSON object, all nested field paths are flattened into attribute names.
For direct logs: the pod, namespace, and label meta-data are added as attributes using the same label names as for stored logs.
Special attributes:
-
body
- original log message. -
timestamp
- time the log was produced, if known, in RFC3999 format. -
observed_timestamp
- time the log was first stored or recorded, in RFC3999 format.
Viaq and OTEL attributes
The openshift logging collector can store loges in two formats:
-
Viaq: legacy format with attributes like: "kubernetes_namespace_name", "kubernetes_pod_name"
-
OTEL: new standard format with attributes like: "k8s_namespace_name", "k8s_pod_name". Note the use of "_" rather than "." to give legal Loki label names. Otherwise these names are as given in the OTEL specification.
For stored logs, korrel8r returns whatever format has been stored in Loki. For direct logs, both Viaq and OTEL attributes are included to aid migration.
Query
A query starts with the log class, followed by one of the following:
-
A container selector: This can be used for stored logs and/or direct API log access.
-
A {LogQL} expression: LogQL queries can only be used to retrieve stored logs
Container selectors
A container selector is a JSON map of the form:
{
"namespace": "pod_namespace",
"name": "pod_name",
"labels": { "label_name": "label_value", ... },
"fields": { "field_name": "field_value", ... },
"containers": ["container_name", "another_container_name", ...],
}
All fields are optional. For example: to get logs from containers named "foo" or "bar" in pods from namespace "app":
log:application:{ "namespace": "app", "containers":["foo", "bar"]}
If stored logs are available, the container selector is automatically translated into an equivalent LogQL expression.
LogQL queries
A LogQL query includes a literal {LogQL} expression, for example:
log:infrastructure:{kubernetes_namespace_name="openshift-cluster-version", kubernetes_pod_name=~".*-operator-.*"}
Viaq and OTEL
When translating container selectors into LogQL, Korrel8r currently uses Viaq attributes. This works with existing deployments and with the early support for OTEL logging, which include backaward-compatible Viaq labels.
Korrel8r will be updated to use OTEL directly in future.
Store Configuration
The store configuration must include domain: log
.
It may include an optional loki: URL
or lokiStack: URL
, but not both.
It may include an optional direct: true
to enable direct API server logs.
The default configuration is:
domain: log
lokiStack: https:url_of_default_lokiStack
direct: true
Korrel8r log queries will do the following:
-
Try to connect to the loki/lokiStack URL and retrieve stored logs.
-
If that fails, use the API server directly as an alternate.
You can also configure a store with only direct: true
to use only API server access,
or only loki
or lokiStack
to use only stored logs.
Template functions
The following functions can be used in rule templates when the log domain is available:
- logTypeForNamespace
-
Takes a namespace string argument. Returns the log type: "application" or "infrastructure"
- logSafeLabel
-
Replace all characters other than alphanumerics, '' and ':' with ''.
- logSafeLabels
-
Takes a
map[string]string
argument. Returns a map where each key is replaced by the result oflogSafeLabel
-e = Metric domain
Prometheus metric time-series.
Class
There is only one class: metric:metric
Object
A Metric is a time series identified by a label set. Korrel8r does not consider load the sample data for a time series, or use it in rules. If a korrel8r search time constraints, then metrics that have no values that meet the constraint are ignored.
Query
Query is a PromQL query string.
Korrel8r uses metric labels for correlation, it does not use time-series data values. The PromQL query is analyzed to identify series it uses, labels of those series are used for correlation.
Store
Prometheus is the store, store configuration:
domain: metric metric: URL_OF_PROMETHEUS
-e = Netflow domain
Package netflow is a domain for network observability flow events stored in Loki or LokiStack.
Class
There is a single class netflow:network
Query
A query is a LogQL query string, prefixed by netflow:network:
, for example:
netflow:network:{SrcK8S_Type="Pod", SrcK8S_Namespace="myNamespace"}
Store
To connect to a netflow lokiStack store use this configuration:
domain: netflow lokistack: URL_OF_LOKISTACK_PROXY
To connect to plain loki store use:
domain: netflow loki: URL_OF_LOKI
-e
= Trace domain
:copyright: This file is part of korrel8r, released under https://github.com/korrel8r/korrel8r/blob/main/LICENSE
:description: Correlation of observability signal data
:keywords: correlation, observability, resource, signal, kubernetes
:icons: font
:sectanchors:
:sectlinks:
:project: https://github.com/korrel8r/korrel8r
:pages: https://korrel8r.github.io/korrel8r
:raw-etc-korrel8r: https://raw.githubusercontent.com/korrel8r/korrel8r/main/etc/korrel8r
:etc-korrel8r: https://github.com/korrel8r/korrel8r/blob/main/etc/korrel8r
:korrel8r-help: xref:gen/cmd/korrel8r.adoc
:korrel8rcli-help: xref:gen/cmd/korrel8rcli.adoc
:otel-signals: https://opentelemetry.io/docs/concepts/signals/
:pkg-korrel8r: https://pkg.go.dev/github.com/korrel8/korrel8/pkg/korrel8
:curl: curl
:goref-badge: image:https://pkg.go.dev/badge/github.com/korrel8r/korrel8r.svg
:pkg-dev: https://pkg.go.dev/github.com/korrel8r/korrel8r/
:pkg-dev-domains: https://pkg.go.dev/github.com/korrel8r/korrel8r/pkg/domains
:icon:
:operator: Korrel8r Community Operator
:otel-icon:
:otel: OpenTelemetry
:red-hat: Red Hat
:rh-logging: logging subsystem for Red Hat OpenShift
:rh-ocp: Red Hat OpenShift
:rh-coo: Red Hat Cluster Observability Operator
:go-templates: Go templates
:sprig: sprig
Class
Class singleton trace:span
representing an OpenTelemetry span
A trace is simply a set of spans with the same trace-id. There is no explicit class or object representing a trace.
Object
Object represents an OpenTelemetry span
A trace is simply a set of spans with the same trace-id. There is no explicit class or object representing a trace.
Query
Query selector has two forms: a TraceQL query string, or a list of trace IDs.
A TraceQL query selects spans from many traces that match the query criteria. Example:
`trace:span:{resource.k8s.namespace.name="korrel8r"}`
A trace-id query is a list of hexadecimal trace IDs. It returns all the spans included by each trace. Example:
`trace:span:a7880cc221e84e0d07b15993358811b7,b7880cc221e84e0d07b15993358811b7
Store
The trace domain accepts an optional "tempostack" field with a URL for tempostack. If absent, connect to the default location for the trace store on an Openshift cluster.
stores: domain: trace tempostack: "https://url-of-tempostack"
Korrel8r REST API
Introduction
Generate graphs showing correlations between resources and observability signals in a cluster.
Endpoints
Configure
setConfig
PUT /config
Change configuration settings at runtime.
Description
Modify selected configuration settings (e.g. log verbosity) on a running service.
Parameters
Query Parameters
Name | Description | Required | Default | Pattern |
---|---|---|---|---|
verbose |
Verbose setting for logging. |
- |
null |
Responses
Code | Message | Datatype |
---|---|---|
200 |
OK |
<<>> |
Correlate
graphGoals
POST /graphs/goals
Create a correlation graph from start objects to goal queries.
Description
Specify a set of start objects, as queries or serialized objects, and a goal class. Returns a graph containing all paths leading from a start object to a goal object.
Parameters
Body Parameter
Name | Description | Required | Default | Pattern |
---|---|---|---|---|
request |
Search from start to goal classes. Goals |
X |
Query Parameters
Name | Description | Required | Default | Pattern |
---|---|---|---|---|
options |
- |
null |
Content Type
-
application/json
Responses
Code | Message | Datatype |
---|---|---|
200 |
OK |
|
206 |
interrupted, partial result |
|
400 |
invalid parameters |
|
404 |
result not found |
graphNeighbours
POST /graphs/neighbours
Create a neighbourhood graph around a start object to a given depth.
Description
Specify a set of start objects, as queries or serialized objects, and a depth for the neighbourhood search. Returns a graph of all paths with depth or less edges leading from start objects.
Parameters
Body Parameter
Name | Description | Required | Default | Pattern |
---|---|---|---|---|
request |
Search from start for neighbours. Neighbours |
X |
Query Parameters
Name | Description | Required | Default | Pattern |
---|---|---|---|---|
options |
- |
null |
Content Type
-
application/json
Responses
Code | Message | Datatype |
---|---|---|
200 |
OK |
|
206 |
interrupted, partial result |
|
400 |
invalid parameters |
|
404 |
result not found |
listGoals
POST /lists/goals
Create a list of goal nodes related to a starting point.
Description
Specify a set of start objects, as queries or serialized objects, and a goal class. Returns a list of all objects of the goal class that can be reached from a start object.
Parameters
Body Parameter
Name | Description | Required | Default | Pattern |
---|---|---|---|---|
request |
search from start to goal classes Goals |
X |
Return Type
array[Node]
Content Type
-
application/json
Query
listDomains
GET /domains
Get the list of correlation domains.
Description
Returns a list of Korrel8r domains and the stores configured for each domain.
Return Type
array[Domain]
Content Type
-
application/json
query
GET /objects
Execute a query, returns a list of JSON objects.
Description
Execute a single Korrel8r 'query' and return the list of serialized objects found. Does not perform any correlation actions.
Parameters
Query Parameters
Name | Description | Required | Default | Pattern |
---|---|---|---|---|
query |
Query string. |
X |
null |
/:[^:]:[^:]+/ |
Content Type
-
application/json
Models
Constraint
Constrains the objects that will be included in search results.
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
start |
Date |
Ignore objects with timestamps before this start time. |
date-time |
||
end |
Date |
Ignore objects with timestamps after this end time. |
date-time |
||
limit |
Integer |
Limit total number of objects per query. |
|||
timeout |
String |
Give up on requests to data stores if they take longer than this duration. |
duration |
Domain
Domain configuration information.
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
name |
X |
String |
Name of the domain. |
||
stores |
List of Store |
Stores configured for the domain. |
Edge
Directed edge in the result graph, from Start to Goal classes.
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
start |
X |
String |
Class name of the start node. |
||
goal |
X |
String |
Class name of the goal node. |
||
rules |
List of Rule |
Set of rules followed along this edge. |
Error
Error result containing an error message.
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
error |
X |
String |
Error message. |
Goals
Starting point for a goals search.
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
goals |
X |
List of [string] |
Goal classes for correlation. |
||
start |
X |
Graph
Graph resulting from a correlation search.
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
edges |
List of Edge |
List of graph edges. |
|||
nodes |
List of Node |
List of graph nodes. |
GraphOptions
Options controlling the form of the returned graph.
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
rules |
Boolean |
Include rule names in graph edges. |
|||
zeros |
Boolean |
Include queries that returned no results. |
Neighbours
Starting point for a neighbours search.
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
depth |
X |
Integer |
Max depth of neighbours graph. |
||
start |
X |
Node
Node in the result graph, contains results for a single class.
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
class |
X |
String |
Full class name |
||
count |
Integer |
Number of results for this class, after de-duplication. |
|||
queries |
List of QueryCount |
Queries yielding results for this class. |
QueryCount
Query with number of results.
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
count |
Integer |
Number of results, omitted if the query was not executed. |
|||
query |
X |
String |
Query for correlation data. |
Rule
Rule is a correlation rule with a list of queries and results counts found during navigation.
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
name |
X |
String |
Name is an optional descriptive name. |
||
queries |
List of QueryCount |
Queries generated while following this rule. |
Start
Start identifies a set of starting objects for correlation.
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
class |
String |
Class of starting objects and queries. |
|||
constraint |
Constrain the objects that will be returned. |
||||
objects |
List of [map] |
Objects serialized as JSON. |
|||
queries |
List of [string] |
Queries for starting objects |
Store
Store is a map string keys and values used to connect to a store.
Field Name | Required | Nullable | Type | Description | Format |
---|