Navigate relationships between cluster resources and observability signals.

What is Korrel8r?

Observability for Kubernetes clusters often involves multiple systems; logs in Loki, metrics in Prometheus, traces in Tempo, events in the API server, alerts in Alertmanager and so on. Each system has different data models, query languages, and APIs. When troubleshooting, you need to piece together information from multiple sources.

Korrel8r is a rule-based correlation engine that automatically discovers and graphs related resources and observability signals across multiple data stores. Given any starting point - an alert, a service or deployment that is in trouble etc - korrel8r will search for related data, potentially following multiple relationships between objects in different data stores.

Goal Search

Find paths from starting objects to a specific type of target data. For example: "Find all logs related to this Alert" might cause korrel8r to connect the alert to related deployments, the deployments to their pods, and finally the pods to logs.

Neighborhood Search

Find all data reachable within N steps from starting objects. For example: "Show me everything related to this Pod within 2 steps" might return deployments and services that own the Pod, logs from the pods containers, metrics describing the Pod, network flows with the Pod as an endpoint and so on.

Key Capabilities

  • Universal correlation: Connects data across multiple formats, stores, and query languages (OTEL, Prometheus/PromQL, Loki/LogQL, etc.)

  • Multiple stores: Relationships can span data in Prometheus, Loki, Alertmanager, Kubernetes API server, and more

  • Extensible rules: Configurable YAML rules define how different data types relate to each other

  • Extensible domains: Add new domains to handle new signal types, query languages, and data stores

  • Flexible deployment: Deploy as a REST service or use from the command line

Who Uses Korrel8r

  • Cluster administrators, SREs, and developers who need to troubleshoot issues across complex Kubernetes environments

  • Observability tool builders who want to display and manipulate correlation graphs

  • Integrated solutions for example the OpenShift troubleshooting panel

About OpenTelemetry

The OpenTelemetry project (OTEL) defines standard vocabularies for traces, metrics, and logs. Korrel8r can correlate OTEL data with other data formats for observability signals.

Korrel8r complements OTEL by:

  • Bridging between OTEL and non-OTEL systems

  • Providing correlation rules between different signal types

  • Supporting data types beyond the current OTEL specification (like Kubernetes events or network flows)

  • Working with any query language or storage system

How Korrel8r Works

Korrel8r organizes observability data into domains, and uses rules to navigate between them.

Domains organize data

A domain represents one type of signal or resource. For example: - k8s domain: Kubernetes resources (Pods, Services, Deployments, etc.) - log domain: Application and system logs - metric domain: Prometheus metrics - trace domain: Distributed traces - alert domain: Prometheus alerts

Available domains are described in the Domain Reference.

Each domain defines the following abstractions, allowing Korrel8r to treat domains uniformly:

Object

Individual data items returned by queries, for example a specific Pod, log entry, metric time series, trace span, etc. Signals and resources are all considered "objects".

Store

A backend service that holds the data (Kubernetes API, Prometheus, Loki, etc.)

Class

A specific type of data within a domain. Class names have the format domain:class.
Examples: k8s:Pod, k8s:Deployment, log:application, trace:span

Query

A request for data, formatted as domain:class:selector. The selector uses the native query language of the underlying store.
Examples:

  • k8s:Pod:{namespace: "default"} (Kubernetes resource selector)

  • log:application:{.kubernetes.namespace.name="default"} (LogQL query)

  • trace:span:{.k8s.namespace.name="foobar"} (Tempo query)

Rules connect data

Rules express relationships between classes, possibly in different domains.
For example: - "Pods belong to a Deployment" - relates k8s:Pod to k8s:Deployment - "Pods generate logs" - relates k8s:Pod to log:application - "Applications emit metrics" - relates k8s:Pod to metric:metric

Rules are templates that generate a goal query using data from a start object. The start and goal can be different classes, possibly from different domains. If a rule cannot be applied to an object it may return a blank string, or raise an error.

The set of rules forms a graph connecting all the classes of data that korrel8r knows about. Korrel8r works by traversing this graph: applying rules to some initial objects, executing the resulting queries, retrieving more objects and so on.

Getting Started

Korrel8r can run in different environments depending on your needs:

  • In-cluster service (recommended for production): Deployed as a Kubernetes service

  • Out-of-cluster service: Running locally or externally, connecting via routes/ingress

  • Command line: Direct command execution for testing and development

See Configuration for details on configuring stores and rules.

Authentication: Korrel8r uses Bearer Tokens to authenticate with cluster stores.

  • As a service: Impersonates clients by forwarding their Bearer tokens

  • Command line: Uses your current kubectl login credentials

Installation Options

Cluster Observability Operator (Recommended)

The Red Hat Cluster Observability Operator automatically installs and configures Korrel8r on Red Hat OpenShift clusters, configured to connect to the available stores and the console.

Direct Deployment

This deploys korrel8r in the namespace korrel8r with a configuration suitable for Red Hat OpenShift clusters. Modify configmap/korrel8r to change the configuration.

Deploy the latest version
oc apply -k github.com/korrel8r/korrel8r/config/?version=main
Deploy a specific version (replace X.Y.Z)
oc apply -k github.com/korrel8r/korrel8r/config/?version=vX.Y.Z

Accessing the Service

To access Korrel8r from outside the cluster, create a route:

oc apply -k github.com/korrel8r/korrel8r/config/route?version=main
export KORREL8R_URL=$(oc get route/korrel8r -n korrel8r -o template='https://{{.spec.host}}')
curl --oauth2-bearer $(oc whoami -t) http://$KORREL8R_URL/api/v1alpha1/domains

Running Outside the Cluster

You can run Korrel8r locally for development and testing. This connects to cluster stores via routes or ingress.

Step 1: Install the Korrel8r command
go install github.com/korrel8r/korrel8r/cmd/korrel8r@latest
korrel8r --help  # View available commands
Step 2: Download configuration for external access
curl -o korrel8r.yaml https://raw.githubusercontent.com/korrel8r/korrel8r/main/etc/korrel8r/openshift-route.yaml
Step 3: Run the service locally
korrel8r -v2 --config korrel8r.yaml web --http=localhost:8080

Your local Korrel8r service is now available at http://localhost:8080.

Using Korrel8r

Once your Korrel8r service is running, it provides a REST API. You can interact with it in several ways:

  • Command line client (korrel8rcli) - Purpose-built for Korrel8r

  • Direct HTTP request - Direct HTTP calls using curl or similar tools

  • OpenShift Console - Integrated troubleshooting panel

  • Web browser - Built-in visualization (experimental)

Clients require a Bearer Token to authenticate. If you are logged in to a cluster, you can find your bearer token like this:

oc whoami -t

Command Line Client (korrel8rcli)

The korrel8rcli client provides a simple way to explore correlations from the command line.

Installation
go install github.com/korrel8r/client/cmd/korrel8rcli@latest
korrel8rcli --help  # View available commands
Basic Usage

korrel8rcli automatically uses your cluster login credentials. Replace $KORREL8R_URL with your URL:

Checking Available Domains

First, check what data sources are available in your cluster:

korrel8rcli -u $KORREL8R_URL domains

This shows all configured domains and their connection status. Example output:

- name: k8s        # Kubernetes resources
  stores: [...]
- name: log        # Application logs (Loki)
  stores: [...]
- name: metric     # Prometheus metrics
  stores: [...]
- name: alert      # Prometheus alerts
  stores: [...]
- name: trace      # Distributed traces
  stores: [...]
Finding Related Data

Neighborhood Search: Find all data related to a specific resource:

# Find everything related to a deployment
korrel8rcli -u $KORREL8R_URL neighbors --query 'k8s:Deployment:{namespace: korrel8r}'

# Find everything related to a specific pod
korrel8rcli -u $KORREL8R_URL neighbors --query 'k8s:Pod:{namespace: default, name: my-pod}'

Goal Search: Find specific types of related data:

# Find all logs related to a deployment
korrel8rcli -u $KORREL8R_URL goals --start 'k8s:Deployment:{namespace: korrel8r}' --goal 'log:application'

# Find all alerts related to a namespace
korrel8rcli -u $KORREL8R_URL goals --start 'k8s:Namespace:{name: production}' --goal 'alert:alert'
Web Visualization (Experimental)

This feature is experimental and may change in future versions.

The korrel8rcli tool includes a web interface for visualizing correlation graphs:

korrel8rcli web -u $KORREL8R_URL --addr :9090

Open http://localhost:9090 in your browser. You can: - Enter a query in the "Start" box (e.g., k8s:Pod:{namespace: default}) - Specify search depth (for neighborhood) or target class (for goal search) - View interactive correlation graphs

Example correlation graph visualization

Direct REST API Access

You can use curl or any HTTP client to directly interact with the Korrel8r REST API:

# Get available domains
curl --oauth2-bearer $(oc whoami -t) $KORREL8R_URL/api/v1alpha1/domains

# Perform a neighborhood search
curl --oauth2-bearer $(oc whoami -t) \
     "$KORREL8R_URL/api/v1alpha1/graphs/neighbors?depth=2&query=k8s:Pod:{namespace:default}"

See the complete REST API Reference for all available endpoints.

OpenShift Console Integration

The Red Hat OpenShift Console includes a troubleshooting panel that uses Korrel8r to display clickable correlation graphs. When viewing resources in the console, you can navigate between related logs, metrics, alerts, and other observability data.

Troubleshooting

You can increase the verbosity of korrel8r logging at run time using the config API.
Using korrel8rcli
korrel8rcli config --set-verbose=9
Using curl
curl --oauth2-bearer $(oc whoami -t) -X PUT http://localhost:8080/api/v1alpha1/config?verbose=9

Configuration

Korrel8r loads configuration from a file or URL specified by the --config option:

korrel8r --config <file_or_url>

The Korrel8r project provides example configuration files. You can download them or use them directly via URL.

openshift-route.yaml

Run korrel8r outside the cluster, connect to stores via routes:

openshift-svc.yaml

Used to run korrel8r as an in-cluster service, connect to stores via service URLs.

The configuration is a YAML file with the following sections:

include

Other configuration fragments to include.
include:
  - "path_or_url"

stores

Connections to data stores.
stores:
  - domain: "domain_name" (1)
    # Domain-specific fields (2)
1 Domain name of the store (required).
2 Domain-specific fields for connection parameters. See Domain Reference.

Every entry in the stores section has a domain field to identify the domain. Other fields depend on the domain, see Domain Reference.

Store fields may contain templates that expand to URLs.

Example: configuring a store URL from an Openshift Route resource.
stores:
  - domain: log
    lokiStack: <-
      {{$r := get "k8s:Route.route.openshift.io/v1:{namespace: openshift-logging, name: logging-loki}" -}} (1)
      https://{{ (first $r).Spec.Host -}} (2)
1 Get a list of routes in "openshift-logging" named "logging-loki".
2 Use the .Spec.Host field of the first route as the host for the store URL.

rules

Rules to relate different classes of data.
rules:
  - name: "rule_name" (1)
    start: (2)
      domain: "domain_name"
      classes:
        - "class_name"
    goal: (3)
      domain: "domain_name"
      classes:
        - "class_name"
    result:
      query: "query_template" (4)
1 Name identifies the rule in graphs and for debugging.
2 Start objects for this rule must belong to one of the classes in the domain.
3 Goal queries generated by this rule may must retrieve one of the classes in the domain.
4 Result queries are generated by executing the query {go-template}` with the start object as context.

Korrel8r comes with a comprehensive set of rules by default, but you can modify them or add your own.

A rule has the following key elements:

  • A set of start classes. The rule can apply to objects belonging to one of these classes.

  • A set of goal classes. The rule can generate queries for any of these classes.

  • A Go template to generate a goal query from a start object.

The query template should generate a string of the form:

<domain-name>:<class-name>:<query-details>

The query-details part depends on the domain, see Domain Reference

aliases

Short-hand alias names for groups of classes.
aliases:
  - name: "alias_name" (1)
    domain: "domain_name" (2)
    classes: (3)
      - "class_name"
1 Alias name can be used in rule definitions wherever a class name is allowed.
2 Domain for classes in this alias.
3 Classes belonging to this alias.

About Templates

Korrel8r rules and store configuration can include Go templates.

This is the same templat syntax as the kubectl command with the --output=template option.

Korrel8r provides additional template functions to simplify writing rules and configurations:

  • The sprig library of general purpose template functions is always available.

  • Some domains (for example the K8s domain) provide domain-specific functions, see the Domain Reference.

  • The following function is available for store configurations:

    query

    Takes a single argument, a korrel8r query string. Executes the query and returns the result as a []any. May return an error.

    Example: Query the k8s cluster for a route, extract the "host" field.
    {{(query "k8s:Route.route.openshift.io:{namespace: netobserv, name: loki}" | first).spec.host}}

Domain Reference

Alert domain

Package alert provides Prometheus alerts, queries and access to Thanos and AlertManager stores.

Class

There is a single class alert:alert.

Object

An alert object is represented by this Go type. Rules starting from an alert should use the capitalized Go field names rather than the lowercase JSON names. Object

Query

A JSON map of string names to string values, matched against alert labels, for example:

alert:alert:{"alertname":"KubeStatefulSetReplicasMismatch","container":"kube-rbac-proxy-main","namespace":"openshift-logging"}

To query mutiple alerts at the same time, it’s possible to provide an array of maps:

alert:alert:[{"alertname":"alert1"},{"alertname":"alert2"}]

Store

A client of Prometheus and/or AlertManager. Store configuration:

domain: alert
metrics: PROMETHEUS_URL
alertmanager: ALERTMANAGER_URL

Either or both of metrics or alertmanager may be present.

Go Reference

Incident domain

Package incident provides mapping to https://github.com/openshift/cluster-health-analyzer incidents.

Class

There is a single class incident:incident.

Object

An incident object contains id and mapping to the sources (alert is the only supported source type at the moment).

Query

One can query the incident by its id.

incident:incident:{"id":"id-of-the-incident"}

It’s also possible to provide labels from an alert to get a corresponding incident.

incident:incident:{"alertLabels":{
 "alertname":"AlertmanagerReceiversNotConfigured",
 "namespace":"openshift-monitoring"}}

Store

A client of Prometheus. Store configuration:

domain: incident
metrics: PROMETHEUS_URL

Go Reference

K8s domain

Kubernetes resources stored in a Kube API server.

Class

Class represents a kind of kubernetes resource. The format of a class name is: "k8s:KIND\[.VERSION]\[.GROUP]".

Missing VERSION implies "v1", if present VERSION must follow the Kubernetes version patterns. Missing GROUP implies the core group.

Examples: k8s:Pod, ks8:Pod/v1, k8s:Deployment.apps, k8s:Deployment.apps/v1, k8s:Route.route.openshift.io/v1

Object

Object represents a kubernetes resource as a map, map keys are serialized field names. Rule templates should use the JSON (lowerCase) field names, NOT the UpperCase Go struct field names.

Query

Example:

k8s:Pod.v1:{"namespace":"openshift-cluster-version","name":"cluster-version-operator-8d86bcb65-btlgn"}

Store

The k8s domain automatically connects to the current cluster (as determined by kubectl), no additional configuration is needed.

 stores:
	  domain: k8s

Template Functions

The following template functions are available to rules.

k8sClass

Takes string arguments (apiVersion, kind). Returns the korrel8r.Class implied by the arguments, or an error.

Go Reference

Log domain

Logs can be stored on the cluster in LokiStack or in an external Loki server. They can also be retrieved directly from the Kubernetes API server. Direct API server access does not provide long-term log storage, but it gives short-term access when there is no long term log store available.

Class

There are 3 classes corresponding to the 3 openshift logging log types:

  • log:application

  • log:infrastructure

  • log:audit

Object

A log object is a set of attributes in a map with string keys and values.
Attribute names contain only ASCII letters, digits, underscores, and (required for Loki labels). Other characters are replaced with "_".

For stored logs: Loki stream labels and structured metadata labels become attributes. If the log body is a JSON object, all nested field paths are flattened into attribute names.

For direct logs: the pod, namespace, and label meta-data are added as attributes using the same label names as for stored logs.

Special attributes:

  • body - original log message.

  • timestamp - time the log was produced, if known, in RFC3999 format.

  • observed_timestamp - time the log was first stored or recorded, in RFC3999 format.

Viaq and OTEL attributes

The openshift logging collector can store loges in two formats:

  • Viaq: legacy format with attributes like: "kubernetes_namespace_name", "kubernetes_pod_name"

  • OTEL: new standard format with attributes like: "k8s_namespace_name", "k8s_pod_name". Note the use of "_" rather than "." to give legal Loki label names. Otherwise these names are as given in the OTEL specification.

For stored logs, korrel8r returns whatever format has been stored in Loki. For direct logs, both Viaq and OTEL attributes are included to aid migration.

Query

A query starts with the log class, followed by one of the following:

  • A container selector: This can be used for stored logs and/or direct API log access.

  • A LogQL expression: LogQL queries can only be used to retrieve stored logs

Container selectors

A container selector is a JSON map of the form:

{
  "namespace": "pod_namespace",
  "name": "pod_name",
  "labels": { "label_name": "label_value", ... },
  "fields": { "field_name": "field_value", ... },
  "containers": ["container_name", "another_container_name", ...],
}

All fields are optional. For example: to get logs from containers named "foo" or "bar" in pods from namespace "app":

log:application:{ "namespace": "app", "containers":["foo", "bar"]}

If stored logs are available, the container selector is automatically translated into an equivalent LogQL expression.

LogQL queries

A LogQL query includes a literal LogQL expression, for example:

log:infrastructure:{kubernetes_namespace_name="openshift-cluster-version", kubernetes_pod_name=~".*-operator-.*"}

Viaq and OTEL

When translating container selectors into LogQL, Korrel8r currently uses Viaq attributes. This works with existing deployments and with the early support for OTEL logging, which include backaward-compatible Viaq labels.

Korrel8r will be updated to use OTEL directly in future.

Store Configuration

The store configuration must include domain: log. It may include an optional loki: URL or lokiStack: URL, but not both. It may include an optional direct: true to enable direct API server logs.

The default configuration is:

domain: log
lokiStack: https:url_of_default_lokiStack
direct: true

Korrel8r log queries will do the following:

  1. Try to connect to the loki/lokiStack URL and retrieve stored logs.

  2. If that fails, use the API server directly as an alternate.

You can also configure a store with only direct: true to use only API server access, or only loki or lokiStack to use only stored logs.

Template functions

The following functions can be used in rule templates when the log domain is available:

logTypeForNamespace

Takes a namespace string argument. Returns the log type: "application" or "infrastructure"

logSafeLabel

Replace all characters other than alphanumerics, '' and ':' with ''.

logSafeLabels

Takes a map[string]string argument. Returns a map where each key is replaced by the result of logSafeLabel

Go Reference

Metric domain

Prometheus metric time-series.

Class

There is only one class: metric:metric

Object

A Metric is a time series identified by a label set. Korrel8r does not consider load the sample data for a time series, or use it in rules. If a korrel8r search time constraints, then metrics that have no values that meet the constraint are ignored.

Query

Query is a PromQL query string.

Korrel8r uses metric labels for correlation, it does not use time-series data values. The PromQL query is analyzed to identify series it uses, labels of those series are used for correlation.

Store

Prometheus is the store, store configuration:

domain: metric
metric: URL_OF_PROMETHEUS

Go Reference

Netflow domain

Package netflow is a domain for network observability flow events stored in Loki or LokiStack.

Class

There is a single class netflow:network

Object

A log object is a JSON map\[string]any in NetFlow format.

Query

A query is a LogQL query string, prefixed by netflow:network:, for example:

netflow:network:{SrcK8S_Type="Pod", SrcK8S_Namespace="myNamespace"}

Store

To connect to a netflow lokiStack store use this configuration:

domain: netflow
lokistack: URL_OF_LOKISTACK_PROXY

To connect to plain loki store use:

domain: netflow
loki: URL_OF_LOKI

Go Reference

Trace domain

Package trace implements OpenTelemetry traces stored in the Grafana Tempo data store.

Class

Class singleton trace:span representing an OpenTelemetry span

A trace is simply a set of spans with the same trace-id. There is no explicit class or object representing a trace.

Object

Object represents an OpenTelemetry span

A trace is simply a set of spans with the same trace-id. There is no explicit class or object representing a trace.

Query

Query selector has two forms: a TraceQL query string, or a list of trace IDs.

A TraceQL query selects spans from many traces that match the query criteria. Example:

`trace:span:{resource.k8s.namespace.name="korrel8r"}`

A trace-id query is a list of hexadecimal trace IDs. It returns all the spans included by each trace. Example:

`trace:span:a7880cc221e84e0d07b15993358811b7,b7880cc221e84e0d07b15993358811b7

Store

The trace domain accepts an optional "tempostack" field with a URL for tempostack. If absent, connect to the default location for the trace store on an Openshift cluster.

stores:
  domain: trace
  tempostack: "https://url-of-tempostack"

korrel8r

Korrel8r REST API

Introduction

Generate graphs showing correlations between resources and observability signals in a cluster.

Endpoints

Configure

setConfig

PUT /config

Change configuration settings at runtime.

Description

Modify selected configuration settings (e.g. log verbosity) on a running service.

Parameters
Query Parameters
Name Description Required Default Pattern

verbose

Verbose setting for logging.

-

null
Return Type

-

Responses
Table 1. HTTP Response Codes
Code Message Datatype

200

OK

<<>>
Samples

Correlate

graphGoals

POST /graphs/goals

Create a correlation graph from start objects to goal queries.

Description

Specify a set of start objects, as queries or serialized objects, and a goal class. Returns a graph containing all paths leading from a start object to a goal object.

Parameters
Body Parameter
Name Description Required Default Pattern

request

Search from start to goal classes. Goals

X
Query Parameters
Name Description Required Default Pattern

options

-

null
Return Type

Graph

Content Type

  • application/json

Responses
Table 2. HTTP Response Codes
Code Message Datatype

200

OK

Graph

400

invalid parameters

Error

404

result not found

Error
Samples

graphNeighbors

POST /graphs/neighbors

Create a neighborhood graph around a start object to a given depth.

Description

Specify a set of start objects, as queries or serialized objects, and a depth for the neighborhood search. Returns a graph of all paths with depth or less edges leading from start objects.

Parameters
Body Parameter
Name Description Required Default Pattern

request

Search from start for neighbors. Neighbors

X
Query Parameters
Name Description Required Default Pattern

options

-

null
Return Type

Graph

Content Type

  • application/json

Responses
Table 3. HTTP Response Codes
Code Message Datatype

200

OK

Graph

400

invalid parameters

Error

404

result not found

Error
Samples

graphNeighbours

POST /graphs/neighbours

Create a neighborhood graph around a start object to a given depth.

Description

Specify a set of start objects, as queries or serialized objects, and a depth for the neighborhood search. Returns a graph of all paths with depth or less edges leading from start objects.

Parameters
Body Parameter
Name Description Required Default Pattern

request

Search from start for neighbors. Neighbors

X
Query Parameters
Name Description Required Default Pattern

options

-

null
Return Type

Graph

Content Type

  • application/json

Responses
Table 4. HTTP Response Codes
Code Message Datatype

200

OK

Graph

400

invalid parameters

Error

404

result not found

Error
Samples

listGoals

POST /lists/goals

Create a list of goal nodes related to a starting point.

Description

Specify a set of start objects, as queries or serialized objects, and a goal class. Returns a list of all objects of the goal class that can be reached from a start object.

Parameters
Body Parameter
Name Description Required Default Pattern

request

search from start to goal classes Goals

X
Return Type

array[Node]

Content Type

  • application/json

Responses
Table 5. HTTP Response Codes
Code Message Datatype

200

OK

List[Node]

400

invalid parameters

Error

404

result not found

Error
Samples

Query

listDomains

GET /domains

Get the list of correlation domains.

Description

Returns a list of Korrel8r domains and the stores configured for each domain.

Parameters
Return Type

array[Domain]

Content Type

  • application/json

Responses
Table 6. HTTP Response Codes
Code Message Datatype

200

OK

List[Domain]

400

invalid parameters

Error

404

result not found

Error
Samples

objects

GET /objects

Execute a query, returns a list of JSON objects.

Description

Execute a single Korrel8r 'query' and return the list of serialized objects found. Does not perform any correlation actions.

Parameters
Query Parameters
Name Description Required Default Pattern

query

Query string.

X

null

/:[^:]:[^:]+/
Return Type

[List]

Content Type

  • application/json

Responses
Table 7. HTTP Response Codes
Code Message Datatype

200

OK

List[[AnyType]]

400

invalid parameters

Error

404

result not found

Error
Samples

Models

Constraint

Constrains the objects that will be included in search results.

Field Name Required Nullable Type Description Format

start

Date

Ignore objects with timestamps before this start time.

date-time

end

Date

Ignore objects with timestamps after this end time.

date-time

limit

Integer

Limit total number of objects per query.

timeout

String

DEPRECATED store calls are cancelled with the request.

duration

Domain

Domain configuration information.

Field Name Required Nullable Type Description Format

name

X

String

Name of the domain.

stores

List of Store

Stores configured for the domain.

Edge

Directed edge in the result graph, from Start to Goal classes.

Field Name Required Nullable Type Description Format

start

X

String

Class name of the start node.

goal

X

String

Class name of the goal node.

rules

List of Rule

Set of rules followed along this edge.

Error

Error result containing an error message.

Field Name Required Nullable Type Description Format

error

X

String

Error message.

Goals

Starting point for a goals search.

Field Name Required Nullable Type Description Format

goals

X

List of [string]

Goal classes for correlation.

start

X

Start

Graph

Graph resulting from a correlation search.

Field Name Required Nullable Type Description Format

edges

List of Edge

List of graph edges.

nodes

List of Node

List of graph nodes.

GraphOptions

Options controlling the form of the returned graph.

Field Name Required Nullable Type Description Format

rules

Boolean

If true include rule names in graph edges.

errors

Boolean

if true include non-fatal error messages.

Neighbors

Starting point for a neighbors search.

Field Name Required Nullable Type Description Format

depth

X

Integer

Max depth of neighbors graph.

start

X

Start

Node

Node in the result graph, contains results for a single class.

Field Name Required Nullable Type Description Format

class

X

String

Full class name

count

Integer

Number of results for this class, after de-duplication.

queries

List of QueryCount

Queries yielding results for this class.

QueryCount

Query with number of results.

Field Name Required Nullable Type Description Format

count

Integer

Number of results, omitted if the query was not executed.

query

X

String

Query for correlation data.

Rule

Rule is a correlation rule with a list of queries and results counts found during navigation.

Field Name Required Nullable Type Description Format

name

X

String

Name is an optional descriptive name.

queries

List of QueryCount

Queries generated while following this rule.

Start

Start identifies a set of starting objects for correlation.

Field Name Required Nullable Type Description Format

class

String

Class of starting objects and queries.

constraint

Constraint

Constrain the objects that will be returned.

objects

List of [map]

Objects serialized as JSON.

queries

List of [string]

Queries for starting objects

Store

Store is a map string keys and values used to connect to a store.

Field Name Required Nullable Type Description Format