Home

Awesome

seqcli Build status GitHub release

The Seq client command-line app. Supports logging (seqcli log), searching (search), tailing (tail), querying (query) and JSON or plain-text log file ingestion (ingest), and much more.

SeqCli Screenshot

Getting started

The Seq installer for Windows includes seqcli. Otherwise, download the release for your operating system. Or, if you have dotnet installed, seqcli can be installed as a global tool using:

dotnet tool install --global seqcli

To set a default server URL and API key, run:

seqcli config -k connection.serverUrl -v https://your-seq-server
seqcli config -k connection.apiKey -v your-api-key

The API key will be stored in your SeqCli.json configuration file; on Windows, this is encrypted using DPAPI; on Mac/Linux the key is currently stored in plain text. As an alternative to storing the API key in configuration, it can be passed to each command via the --apikey= argument.

seqcli is also available as a Docker container under datalust/seqcli:

docker run --rm datalust/seqcli:latest <command> [<args>]

To connect to Seq in a docker container on the local machine use the machine's IP address (not localhost) or specify docker host networking with --net host.

Use Docker networks and volumes to make local files and other containers accessible to seqcli within its container.

Environment variable overrides

Each setting value can be overridden at runtime by specifying an environment variable of the form SEQCLI_<setting path>, where <setting path> contains one element for each dotted segment of the setting name, separated by underscores.

For example the setting connection.serverUrl can overridden with the SEQCLI_CONNECTION_SERVERURL variable.

Connecting without an API key

If you're automating Seq setup, chances are you won't have an API key yet for seqcli to use. During the initial Seq server configuration, you can specify firstRun.adminUsername and firstRun.adminPasswordHash (or the equivalent environment variables SEQ_FIRSTRUN_ADMINUSERNAME and SEQ_FIRSTRUN_ADMINPASSWORDHASH) to set an initial username and password for the administrator account. You can use these to create an API key, and then use the API key token with the remaining seqcli commands.

The seqcli apikey create command accepts --connect-username and --connect-password-stdin, and prints the new API key token to STDOUT (PowerShell syntax is used below):

$user = "admin"
$pw = "thepassword"
$token = (
  echo $pw |
  seqcli apikey create `
    -t CLI `
    --permissions="Read,Write,Project,Organization,System" `
    --connect-username $user --connect-password-stdin
)

Contributing

See CONTRIBUTING.md.

Permissions

When connecting with an API key the allowed operations are determined by the permissions assigned to that API key.

To determine the permission required for a command check the 'Permission demand' column of the equivalent server API operation. For example, the command apikey create uses the POST api/apikeys endpoint, which requires the Write permission.

Usage

All seqcli commands follow the same pattern:

seqcli <command> [<args>]

Command help

The complete list of supported commands can be viewed by running:

seqcli help

To show usage information for a specific command, run seqcli help <command>, for example:

seqcli help apikey create

This also works for command groups; to list all apikey sub-commands, run:

seqcli help apikey

Available commands

apikey create

Create an API key for automation or ingestion.

Example:

seqcli apikey create -t 'Test API Key' -p Environment=Test
OptionDescription
-t, --title=VALUEA title for the API key
--token=VALUEA pre-allocated API key token; by default, a new token will be generated and written to STDOUT
-p, --property=NAME=VALUESpecify name/value properties, e.g. -p Customer=C123 -p Environment=Production
--filter=VALUEA filter to apply to incoming events
--minimum-level=VALUEThe minimum event level/severity to accept; the default is to accept all events
--use-server-timestampsDiscard client-supplied timestamps and use server clock values
--permissions=VALUEA comma-separated list of permissions to delegate to the API key; valid permissions are Ingest (default), Read, Write, Project and System
--connect-username=VALUEA username to connect with, useful primarily when setting up the first API key; servers with an 'Individual' subscription only allow one simultaneous request with this option
--connect-password=VALUEWhen connect-username is specified, a corresponding password
--connect-password-stdinWhen connect-username is specified, read the corresponding password from STDIN
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used
--jsonPrint output in newline-delimited JSON (the default is plain text)
--no-colorDon't colorize text output
--force-colorForce redirected output to have ANSI color (unless --no-color is also specified)

apikey list

List available API keys.

Example:

seqcli apikey list
OptionDescription
-t, --title=VALUEThe title of the API key(s) to list
-i, --id=VALUEThe id of a single API key to list
--jsonPrint output in newline-delimited JSON (the default is plain text)
--no-colorDon't colorize text output
--force-colorForce redirected output to have ANSI color (unless --no-color is also specified)
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

apikey remove

Remove an API key from the server.

Example:

seqcli apikey remove -t 'Test API Key'
OptionDescription
-t, --title=VALUEThe title of the API key(s) to remove
-i, --id=VALUEThe id of a single API key to remove
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

apikey update

Update an existing API key.

Example:

seqcli apikey update --json '{...}'
OptionDescription
--json=VALUEThe updated API key in JSON format; this can be produced using seqcli apikey list --json
--json-stdinRead the updated API key as JSON from STDIN
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

app define

Generate an app definition for a .NET [SeqApp] plug-in.

Example:

seqcli app define -d "./bin/Debug/netstandard2.2"
OptionDescription
-d, --directory=VALUEThe directory containing .NET Standard assemblies; defaults to the current directory
--type=VALUEThe [SeqApp] plug-in type name; defaults to scanning assemblies for a single type marked with this attribute
--indentedFormat the definition over multiple lines with indentation

app install

Install an app package.

Example:

seqcli app install --package-id 'Seq.App.JsonArchive'
OptionDescription
--package-id=VALUEThe package id of the app to install
--version=VALUEThe package version to install; the default is to install the latest version
--feed-id=VALUEThe id of the NuGet feed to install the package from; may be omitted if only one feed is configured
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used
--jsonPrint output in newline-delimited JSON (the default is plain text)
--no-colorDon't colorize text output
--force-colorForce redirected output to have ANSI color (unless --no-color is also specified)

app list

List installed app packages.

Example:

seqcli app list
OptionDescription
--package-id=VALUEThe package id of the app(s) to list
-i, --id=VALUEThe id of a single app to list
--jsonPrint output in newline-delimited JSON (the default is plain text)
--no-colorDon't colorize text output
--force-colorForce redirected output to have ANSI color (unless --no-color is also specified)
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

app run

Host a .NET [SeqApp] plug-in.

Example:

seqcli tail --json | seqcli app run -d "./bin/Debug/netstandard2.2" -p ToAddress=example@example.com
OptionDescription
-d, --directory=VALUEThe directory containing .NET Standard assemblies; defaults to the current directory
--type=VALUEThe [SeqApp] plug-in type name; defaults to scanning assemblies for a single type marked with this attribute
-p, --property=NAME=VALUESpecify name/value settings for the app, e.g. -p ToAddress=example@example.com -p Subject="Alert!"
--storage=VALUEA directory in which app-specific data can be stored; defaults to the current directory
-s, --server=VALUEThe URL of the Seq server, used only for app configuration (no connection is made to the server); by default the connection.serverUrl value will be used
--server-instance=VALUEThe instance name of the Seq server, used only for app configuration; defaults to no instance name
-t, --title=VALUEThe app instance title, used only for app configuration; defaults to a placeholder title.
--id=VALUEThe app instance id, used only for app configuration; defaults to a placeholder id.
--read-envRead app configuration and settings from environment variables, as specified in https://docs.datalust.co/docs/seq-apps-in-other-languages; ignores all options except --directory and --type

app uninstall

Uninstall an app package.

Example:

seqcli app uninstall --package-id 'Seq.App.JsonArchive'
OptionDescription
--package-id=VALUEThe package id of the app package to uninstall
-i, --id=VALUEThe id of a single app package to uninstall
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

app update

Update an installed app package.

Example:

seqcli app update -n 'HTML Email'
OptionDescription
-i, --id=VALUEThe id of a single installed app to update
-n, --name=VALUEThe name of the installed app to update
--allUpdate all installed apps; not compatible with -i or -n
--version=VALUEThe package version to update to; the default is to update to the latest version in the associated feed
--forceUpdate the app even if the target version is already installed
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used
--jsonPrint output in newline-delimited JSON (the default is plain text)
--no-colorDon't colorize text output
--force-colorForce redirected output to have ANSI color (unless --no-color is also specified)

appinstance create

Create an instance of an installed app.

Example:

seqcli appinstance create -t 'Email Ops' --app hostedapp-314159 -p To=ops@example.com
OptionDescription
-t, --title=VALUEA title for the app instance
--app=VALUEThe id of the installed app package to instantiate
-p, --property=NAME=VALUESpecify name/value settings for the app, e.g. -p ToAddress=example@example.com -p Subject="Alert!"
--stream[=VALUE]Stream incoming events to this app instance as they're ingested; optionally accepts a signal expression limiting which events should be streamed, for example signal-1,signal-2
--overridable=VALUESpecify setting names that may be overridden by users when invoking the app
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used
--jsonPrint output in newline-delimited JSON (the default is plain text)
--no-colorDon't colorize text output
--force-colorForce redirected output to have ANSI color (unless --no-color is also specified)

appinstance list

List instances of installed apps.

Example:

seqcli appinstance list
OptionDescription
-t, --title=VALUEThe title of the app instance(s) to list
-i, --id=VALUEThe id of a single app instance to list
--jsonPrint output in newline-delimited JSON (the default is plain text)
--no-colorDon't colorize text output
--force-colorForce redirected output to have ANSI color (unless --no-color is also specified)
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

appinstance remove

Remove an app instance from the server.

Example:

seqcli appinstance remove -t 'Email Ops'
OptionDescription
-t, --title=VALUEThe title of the app instance(s) to remove
-i, --id=VALUEThe id of a single app instance to remove
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

appinstance update

Update an existing app instance.

Example:

seqcli appinstance update --json '{...}'
OptionDescription
--json=VALUEThe updated app instance in JSON format; this can be produced using seqcli appinstance list --json
--json-stdinRead the updated app instance as JSON from STDIN
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

bench

Measure query performance.

OptionDescription
-r, --runs=VALUEThe number of runs to execute; the default is 10
-c, --cases=VALUEA JSON file containing the set of cases to run. Defaults to a standard set of cases.
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used
--start=VALUEISO 8601 date/time to query from
--end=VALUEISO 8601 date/time to query to
--reporting-server=VALUEThe address of a Seq server to send bench results to
--reporting-apikey=VALUEThe API key to use when connecting to the reporting server
--description=VALUEOptional description of the bench test run
--with-ingestionShould the benchmark include sending events to Seq
--with-queriesShould the benchmark include querying Seq

config

View and set fields in the SeqCli.json file; run with no arguments to list all fields.

OptionDescription
-k, --key=VALUEThe field, for example connection.serverUrl
-v, --value=VALUEThe field value; if not specified, the command will print the current value
-c, --clearClear the field

dashboard list

List dashboards.

Example:

seqcli dashboard list
OptionDescription
-t, --title=VALUEThe title of the dashboard(s) to list
-i, --id=VALUEThe id of a single dashboard to list
-o, --owner=VALUEThe id of the user to list dashboards for; by default, shared dashboards are listd
--jsonPrint output in newline-delimited JSON (the default is plain text)
--no-colorDon't colorize text output
--force-colorForce redirected output to have ANSI color (unless --no-color is also specified)
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

dashboard remove

Remove a dashboard from the server.

Example:

seqcli dashboard remove -i dashboard-159
OptionDescription
-t, --title=VALUEThe title of the dashboard(s) to remove
-i, --id=VALUEThe id of a single dashboard to remove
-o, --owner=VALUEThe id of the user to remove dashboards for; by default, shared dashboards are removd
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

dashboard render

Produce a CSV or JSON result set from a dashboard chart.

Example:

seqcli dashboard render -i dashboard-159 -c 'Response Time (ms)' --last 7d --by 1h
OptionDescription
-i, --id=VALUEThe id of a single dashboard to render
-c, --chart=VALUEThe title of a chart on the dashboard to render
--last=VALUEA duration over which the chart should be rendered, e.g. 7d; this will be aligned to an interval boundary; either --last or --start and --end must be specified
--by=VALUEThe time-slice interval for the chart data, as a duration, e.g. 1h
--start=VALUEISO 8601 date/time to query from
--end=VALUEISO 8601 date/time to query to
--signal=VALUEA signal expression or list of intersected signal ids to apply, for example signal-1,signal-2
--timeout=VALUEThe execution timeout in milliseconds
--jsonPrint output in newline-delimited JSON (the default is plain text)
--no-colorDon't colorize text output
--force-colorForce redirected output to have ANSI color (unless --no-color is also specified)
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

expressionindex create

Create an expression index.

Example:

seqcli expressionindex create --expression "ServerName"
OptionDescription
-e, --expression=VALUEThe expression to index
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used
--jsonPrint output in newline-delimited JSON (the default is plain text)
--no-colorDon't colorize text output
--force-colorForce redirected output to have ANSI color (unless --no-color is also specified)

expressionindex list

List expression indexes.

Example:

seqcli expressionindex list
OptionDescription
-i, --id=VALUEThe id of a single expression index to list
--jsonPrint output in newline-delimited JSON (the default is plain text)
--no-colorDon't colorize text output
--force-colorForce redirected output to have ANSI color (unless --no-color is also specified)
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

expressionindex remove

Remove an expression index from the server.

Example:

seqcli expressionindex -i expressionindex-2529
OptionDescription
-i, --id=VALUEThe id of an expression index to remove
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

feed create

Create a NuGet feed.

Example:

seqcli feed create -n 'CI' --location="https://f.feedz.io/example/ci" -u Seq --password-stdin
OptionDescription
-n, --name=VALUEA unique name for the feed
-l, --location=VALUEThe feed location; this may be a NuGet v2 or v3 feed URL, or a local filesystem path on the Seq server
-u, --username=VALUEThe username Seq should supply when connecting to the feed, if authentication is required
-p, --password=VALUEA feed password, if authentication is required; note that --password-stdin is more secure
--password-stdinRead the feed password from STDIN
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used
--jsonPrint output in newline-delimited JSON (the default is plain text)
--no-colorDon't colorize text output
--force-colorForce redirected output to have ANSI color (unless --no-color is also specified)

feed list

List NuGet feeds.

Example:

seqcli feed list
OptionDescription
-n, --name=VALUEThe name of the feed to list
-i, --id=VALUEThe id of a single feed to list
--jsonPrint output in newline-delimited JSON (the default is plain text)
--no-colorDon't colorize text output
--force-colorForce redirected output to have ANSI color (unless --no-color is also specified)
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

feed remove

Remove a NuGet feed from the server.

Example:

seqcli feed remove -n CI
OptionDescription
-n, --name=VALUEThe name of the feed to remove
-i, --id=VALUEThe id of a single feed to remove
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

feed update

Update an existing NuGet feed.

Example:

seqcli feed update --json '{...}'
OptionDescription
--json=VALUEThe updated NuGet feed in JSON format; this can be produced using seqcli feed list --json
--json-stdinRead the updated NuGet feed as JSON from STDIN
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

help

Show information about available commands.

Example:

seqcli help search
OptionDescription
-m, --markdownGenerate markdown for use in documentation

index list

List indexes.

Example:

seqcli index list
OptionDescription
-i, --id=VALUEThe id of a single index to list
--jsonPrint output in newline-delimited JSON (the default is plain text)
--no-colorDon't colorize text output
--force-colorForce redirected output to have ANSI color (unless --no-color is also specified)
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

index suppress

Suppress an index.

Example:

seqcli index suppress -i index-2191448f1d9b4f22bd32c6edef752748
OptionDescription
-i, --id=VALUEThe id of an index to suppress
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

ingest

Send log events from a file or STDIN.

Example:

seqcli ingest -i log-*.txt --json --filter="@Level <> 'Debug'" -p Environment=Test
OptionDescription
-i, --input=VALUEFile(s) to ingest, including the * wildcard; if not specified, STDIN will be used
--invalid-data=VALUESpecify how invalid data is handled: fail (default) or ignore
-p, --property=NAME=VALUESpecify name/value properties, e.g. -p Customer=C123 -p Environment=Production
-x, --extract=VALUEAn extraction pattern to apply to plain-text logs (ignored when --json is specified)
--jsonRead the events as JSON (the default assumes plain text)
-f, --filter=VALUEFilter expression to select a subset of events
-m, --message=VALUEA message to associate with the ingested events; https://messagetemplates.org syntax is supported
-l, --level=VALUEThe level or severity to associate with the ingested events; this will override any level information present in the events themselves
--send-failure=VALUESpecify how connection failures are handled: fail (default), retry, continue, or ignore
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used
--batch-size=VALUEThe maximum number of events to send in each request to the ingestion endpoint; if not specified a value of 100 will be used

license apply

Apply a license to the Seq server.

Example:

seqcli license apply --certificate="license.txt"
OptionDescription
-c, --certificate=VALUECertificate file; the file must be UTF-8 text
--certificate-stdinRead the license certificate from STDIN
--automatically-refreshIf the license is for a subscription, periodically check datalust.co and automatically refresh the certificate when the subscription is changed or renewed
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

log

Send a structured log event to the server.

Example:

seqcli log -m 'Hello, {Name}!' -p Name=World -p App=Test
OptionDescription
-m, --message=VALUEA message to associate with the event (the default is to send no message); https://messagetemplates.org syntax is supported
-l, --level=VALUEThe level or severity of the event (the default is Information)
-t, --timestamp=VALUEThe event timestamp as ISO-8601 (the current UTC timestamp will be used by default)
-x, --exception=VALUEAdditional exception or error information to send, if any
-p, --property=NAME=VALUESpecify name/value properties, e.g. -p Customer=C123 -p Environment=Production
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

node demote

Begin demotion of the current leader node.

Example:

seqcli node demote --verbose --wait
OptionDescription
--waitWait for the leader to be demoted before exiting
-y, --confirmAnswer [y]es when prompted to continue
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

node health

Probe a Seq node's /health endpoint, and print the returned HTTP status code, or 'Unreachable' if the endpoint could not be queried.

Example:

seqcli node health -s https://seq-2.example.com
OptionDescription
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

node list

List nodes in the Seq cluster.

Example:

seqcli node list --json
OptionDescription
-n, --name=VALUEThe name of the cluster node to list
-i, --id=VALUEThe id of a single cluster node to list
--jsonPrint output in newline-delimited JSON (the default is plain text)
--no-colorDon't colorize text output
--force-colorForce redirected output to have ANSI color (unless --no-color is also specified)
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

print

Pretty-print events in CLEF/JSON format, from a file or STDIN.

Example:

seqcli print -i log-20201028.clef
OptionDescription
-i, --input=VALUECLEF file to read, including the * wildcard; if not specified, STDIN will be used
-f, --filter=VALUEFilter expression to select a subset of events
--template=VALUESpecify an output template to control plain text formatting
--invalid-data=VALUESpecify how invalid data is handled: fail (default) or ignore
--no-colorDon't colorize text output
--force-colorForce redirected output to have ANSI color (unless --no-color is also specified)

profile create

Create or replace a connection profile.

Example:

seqcli profile create -n Production -s https://seq.example.com -a th15ISanAPIk3y
OptionDescription
-n, --name=VALUEThe name of the connection profile
-s, --server=VALUEThe URL of the Seq server
-a, --apikey=VALUEThe API key to use when connecting to the server, if required

profile list

List connection profiles.

Example:

seqcli profile list

profile remove

Remove a connection profile.

Example:

seqcli profile remove -n Production
OptionDescription
-n, --name=VALUEThe name of the connection profile to remove

query

Execute an SQL query and receive results in CSV format.

Example:

seqcli query -q "select count(*) from stream group by @Level" --start="2018-02-28T13:00Z"
OptionDescription
-q, --query=VALUEThe query to execute
--start=VALUEISO 8601 date/time to query from
--end=VALUEISO 8601 date/time to query to
--signal=VALUEA signal expression or list of intersected signal ids to apply, for example signal-1,signal-2
--timeout=VALUEThe execution timeout in milliseconds
--jsonPrint output in newline-delimited JSON (the default is plain text)
--no-colorDon't colorize text output
--force-colorForce redirected output to have ANSI color (unless --no-color is also specified)
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

retention create

Create a retention policy.

Example:

seqcli retention create --after 30d --delete-all-events
OptionDescription
--after=VALUEA duration after which the policy will delete events, e.g. 7d
--delete-all-eventsThe policy should delete all events (currently the only supported option)
--delete=VALUEStream incoming events to this app instance as they're ingested; optionally accepts a signal expression limiting which events should be streamed
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used
--jsonPrint output in newline-delimited JSON (the default is plain text)
--no-colorDon't colorize text output
--force-colorForce redirected output to have ANSI color (unless --no-color is also specified)

retention list

List retention policies.

Example:

seqcli retention list
OptionDescription
-i, --id=VALUEThe id of a single retention policy to list
--jsonPrint output in newline-delimited JSON (the default is plain text)
--no-colorDon't colorize text output
--force-colorForce redirected output to have ANSI color (unless --no-color is also specified)
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

retention remove

Remove a retention policy from the server.

Example:

seqcli retention remove -i retentionpolicy-17
OptionDescription
-i, --id=VALUEThe id of a single retention policy to remove
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

retention update

Update an existing retention policy.

Example:

seqcli retention update --json '{...}'
OptionDescription
--json=VALUEThe updated retention policy in JSON format; this can be produced using seqcli retention list --json
--json-stdinRead the updated retention policy as JSON from STDIN
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

sample ingest

Log sample events into a Seq instance.

Example:

seqcli sample ingest
OptionDescription
-y, --confirmAnswer [y]es when prompted to continue
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used
--quietDon't echo ingested events to STDOUT
--batch-size=VALUEThe maximum number of events to send in each request to the ingestion endpoint; if not specified a value of 100 will be used

sample setup

Configure a Seq instance with sample dashboards, signals, users, and so on.

Example:

seqcli sample setup
OptionDescription
-y, --confirmAnswer [y]es when prompted to continue
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

search

Retrieve log events that match a given filter.

Example:

seqcli search -f "@Exception like '%TimeoutException%'" -c 30
OptionDescription
-f, --filter=VALUEA filter to apply to the search, for example Host = 'xmpweb-01.example.com'
-c, --count=VALUEThe maximum number of events to retrieve; the default is 1
--start=VALUEISO 8601 date/time to query from
--end=VALUEISO 8601 date/time to query to
--jsonPrint output in newline-delimited JSON (the default is plain text)
--no-colorDon't colorize text output
--force-colorForce redirected output to have ANSI color (unless --no-color is also specified)
--signal=VALUEA signal expression or list of intersected signal ids to apply, for example signal-1,signal-2
--request-timeout=VALUEThe time allowed for retrieving each page of events, in milliseconds; the default is 100000
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

setting clear

Clear a runtime-configurable server setting.

OptionDescription
-n, --name=VALUEThe setting name, for example OpenIdConnectClientSecret
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

setting names

Print the names of all supported settings.

setting set

Change a runtime-configurable server setting.

OptionDescription
-n, --name=VALUEThe setting name, for example OpenIdConnectClientSecret
-v, --value=VALUEThe setting value, comma-separated if multiple values are accepted
--value-stdinRead the value from STDIN
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

setting show

Print the current value of a runtime-configurable server setting.

OptionDescription
-n, --name=VALUEThe setting name, for example OpenIdConnectClientSecret
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

signal create

Create a signal.

Example:

seqcli signal create -t 'Exceptions' -f "@Exception is not null"
OptionDescription
-t, --title=VALUEA title for the signal
--description=VALUEA description for the signal
-f, --filter=VALUEFilter to associate with the signal
-c, --column=VALUEColumn to associate with the signal; this argument can be used multiple times
--group=VALUEAn explicit group name to associate with the signal; the default is to infer the group from the filter
--no-groupSpecify that no group should be inferred; the default is to infer the group from the filter
--protectedSpecify that the signal is editable only by administrators
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used
--jsonPrint output in newline-delimited JSON (the default is plain text)
--no-colorDon't colorize text output
--force-colorForce redirected output to have ANSI color (unless --no-color is also specified)

signal import

Import signals in newline-delimited JSON format.

Example:

seqcli signal import -i ./Exceptions.json
OptionDescription
--mergeUpdate signals that have ids matching those in the imported data; the default is to always create new signals
-i, --input=VALUEFile to import; if not specified, STDIN will be used
-o, --owner=VALUEThe id of the user to import signals for; by default, shared signals are importd
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

signal list

List available signals.

Example:

seqcli signal list
OptionDescription
-t, --title=VALUEThe title of the signal(s) to list
-i, --id=VALUEThe id of a single signal to list
-o, --owner=VALUEThe id of the user to list signals for; by default, shared signals are listd
--jsonPrint output in newline-delimited JSON (the default is plain text)
--no-colorDon't colorize text output
--force-colorForce redirected output to have ANSI color (unless --no-color is also specified)
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

signal remove

Remove a signal from the server.

Example:

seqcli signal remove -t 'Test Signal'
OptionDescription
-t, --title=VALUEThe title of the signal(s) to remove
-i, --id=VALUEThe id of a single signal to remove
-o, --owner=VALUEThe id of the user to remove signals for; by default, shared signals are removd
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

signal update

Update an existing signal.

Example:

seqcli signal update --json '{...}'
OptionDescription
--json=VALUEThe updated signal in JSON format; this can be produced using seqcli signal list --json
--json-stdinRead the updated signal as JSON from STDIN
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

tail

Stream log events matching a filter.

OptionDescription
-f, --filter=VALUEAn optional server-side filter to apply to the stream, for example @Level = 'Error'
--jsonPrint output in newline-delimited JSON (the default is plain text)
--no-colorDon't colorize text output
--force-colorForce redirected output to have ANSI color (unless --no-color is also specified)
--signal=VALUEA signal expression or list of intersected signal ids to apply, for example signal-1,signal-2
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

template export

Export entities into template files.

Example:

seqcli template export -o ./Templates
OptionDescription
-o, --output=VALUEThe directory in which to write template files; the directory must exist; any existing files with names matching the exported templates will be overwritten; the default is .
-i, --include=VALUEThe id of a signal, dashboard, saved query, workspace, or retention policy to export; this argument may be specified multiple times; the default is to export all shared entities
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

template import

Import entities from template files.

Example:

seqcli template import -i ./Templates
OptionDescription
-i, --input=VALUEThe directory from which to read the set of .template files; the default is .
--state=VALUEThe path of a file which will persist a mapping of template names to the ids of the created entities on the target server, avoiding duplicates when multiple imports are performed; by default, import.state in the input directory will be used
--mergeFor templates with no entries in the .state file, first check for existing entities with matching names or titles; does not support merging of retention policies
-g, --arg=NAME=VALUETemplate arguments, e.g. -g ownerId=user-314159
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

user create

Create a user.

Example:

seqcli user create -n alice -d 'Alice Example' -r 'User (read/write)' --password-stdin
OptionDescription
-n, --name=VALUEA unique username for the user
-d, --display-name=VALUEA long-form name to aid in identifying the user
-f, --filter=VALUEA view filter that limits the events visible to the user
-r, --role=VALUEThe title of a role that grants the user permissions on the server; if not specified, the default new user role will be assigned
-e, --email=VALUEThe user's email address (enables a Gravatar image for the user)
-p, --password=VALUEAn initial password for the user, if username/password authentication is in use; note that --password-stdin is more secure
--password-stdinRead the initial password for the user from STDIN, if username/password authentication is in use
--no-password-changeDon't force the user to change their password at next login
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used
--jsonPrint output in newline-delimited JSON (the default is plain text)
--no-colorDon't colorize text output
--force-colorForce redirected output to have ANSI color (unless --no-color is also specified)

user list

List users.

Example:

seqcli user list
OptionDescription
-n, --name=VALUEThe username of the user(s) to list
-i, --id=VALUEThe id of a single user to list
--jsonPrint output in newline-delimited JSON (the default is plain text)
--no-colorDon't colorize text output
--force-colorForce redirected output to have ANSI color (unless --no-color is also specified)
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

user remove

Remove a user from the server.

Example:

seqcli user remove -n alice
OptionDescription
-n, --name=VALUEThe username of the user(s) to remove
-i, --id=VALUEThe id of a single user to remove
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

user update

Update an existing user.

Example:

seqcli user update --json '{...}'
OptionDescription
--json=VALUEThe updated user in JSON format; this can be produced using seqcli user list --json
--json-stdinRead the updated user as JSON from STDIN
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

version

Print the current executable version.

workspace create

Create a workspace.

Example:

seqcli workspace create -t 'My Workspace' -c signal-314159 -c dashboard-628318
OptionDescription
-t, --title=VALUEA title for the workspace
--description=VALUEA description for the workspace
-c, --content=VALUEThe id of a dashboard, signal, or saved query to include in the workspace
--protectedSpecify that the workspace is editable only by administrators
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used
--jsonPrint output in newline-delimited JSON (the default is plain text)
--no-colorDon't colorize text output
--force-colorForce redirected output to have ANSI color (unless --no-color is also specified)

workspace list

List available workspaces.

Example:

seqcli workspace list
OptionDescription
-t, --title=VALUEThe title of the workspace(s) to list
-i, --id=VALUEThe id of a single workspace to list
-o, --owner=VALUEThe id of the user to list workspaces for; by default, shared workspaces are listd
--jsonPrint output in newline-delimited JSON (the default is plain text)
--no-colorDon't colorize text output
--force-colorForce redirected output to have ANSI color (unless --no-color is also specified)
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

workspace remove

Remove a workspace from the server.

Example:

seqcli workspace remove -t 'My Workspace'
OptionDescription
-t, --title=VALUEThe title of the workspace(s) to remove
-i, --id=VALUEThe id of a single workspace to remove
-o, --owner=VALUEThe id of the user to remove workspaces for; by default, shared workspaces are removd
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

workspace update

Update an existing workspace.

Example:

seqcli workspace update --json '{...}'
OptionDescription
--json=VALUEThe updated workspace in JSON format; this can be produced using seqcli workspace list --json
--json-stdinRead the updated workspace as JSON from STDIN
-s, --server=VALUEThe URL of the Seq server; by default the connection.serverUrl config value will be used
-a, --apikey=VALUEThe API key to use when connecting to the server; by default the connection.apiKey config value will be used
--profile=VALUEA connection profile to use; by default the connection.serverUrl and connection.apiKey config values will be used

Extraction patterns

The seqcli ingest command can be used for parsing plain text logs into structured log events.

seqcli ingest -x "{@t:timestamp} [{@l:level}] {@m:*}{:n}{@x:*}"

The -x argument above is an extraction pattern that will parse events like:

2018-02-21 13:29:00.123 +10:00 [ERR] The operation failed
System.DivideByZeroException: Attempt to divide by zero
  at SomeClass.SomeMethod()

Syntax

Extraction patterns have a simple high-level syntax:

Match expressions have the form:

{name:matcher}

Both the name and matcher are optional, but either one or the other must be specified. Hence {@t:timestamp} specifies a name of @t and value timestamp, {IPAddress} specifies a name only, and {:n} a value only (in this case the built-in newline matcher).

The name is the property name to be extracted; there are four built-in property names that get special handling:

Other property names are attached to the event payload, so {Elapsed:dec} will extract a property called Elapsed, using the dec decimal matcher.

Match expressions with no name are consumed from the input, but are not added to the event payload.

Matchers

Matchers identify chunks of the input event.

Different matchers are needed so that a piece of text like 200OK can be separated into separate properties, i.e. {StatusCode:nat}{Status:alpha}. Here, the nat (natural number) matcher also coerces the result into a numeric value, so that it is attached to the event payload numerically as 200 instead of as the text "200".

There are three kinds of matchers:

MatcherDescriptionExample
*, **, ...Non-greedy content
alphaOne or more lettersAbc
alphanumOne or more letters or numbersa1b2
decA decimal number12.345
identA C-style identifiercountOfMatches
intAn integer-123
iso8601dtAn ISO-8601 date-time2020-01-28T13:50:01.123
levelA logging level nameINF
lineAny single-line contentone line!
nA newline character or sequence
natA nonnegative number123
sOne or more space or tab characters
serilogdtA datetime in the default Serilog file logging format2020-01-28 13:50:01.123 +10:00
syslogdtA datetime in syslog formatDec 8 09:12:13
tA single tab character
timestampA datetime in any recognized format
tokenAny sequence of non-whitespace characters1+x$3
trailingidentMultiline content with indented trailing lines
unixdtA datetime in Unix time format supporting seconds (10-digit) or milliseconds (12-digit)1608694199.999
w3cdtA W3C log format date/time pair2019-04-02 05:18:01

Processing

Extraction patterns are processed from left to right. When the first non-matching pattern is encountered, extraction stops; any remaining text that couldn't be matched will be attached to the resulting event in an @unmatched property.

Multi-line events are handled by looking for lines that start with the first element of the extraction pattern to be used. This works well if the first line of each event begins with something unambiguous like an iso8601dt timestamp; if the lines begin with less specific syntax, the first few elements of the extraction pattern might be grouped to identify the start of events more accurately:

{:=[{@t} {@l}]} {@m:*}

Here the literal text [, a timestamp token, adjacent space , level and closing ] are all grouped so that they constitute a single logical pattern element to identify the start of events.

When logs are streamed into seqcli ingest in real time, a 10 ms deadline is applied, within which any trailing lines that make up the event must be received.

Examples

Tail systemd logs

journalctl -f -n 0 |
  seqcli ingest -x "{@t:syslogdt} {host} {ident:*}: {@m:*}{:n}" --invalid-data=ignore

Tail /var/log/syslog

tail -c 0 -F /var/log/syslog |
  seqcli ingest -x "{@t:syslogdt} {host} {ident:*}: {@m:*}{:n}"

Ingest an IIS/W3C web server log

This example ingests log files in the format:

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) 
cs(Referer) sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken

The extraction pattern is wrapped in the example for display purposes, and must appear all in one string argument when invoked.

seqcli ingest -i http.log --invalid-data=ignore -x "{@t:w3cdt} {ServerIP} {@m:={Method} {RequestPath}} 
{Query} {Port:nat} {Username} {ClientIP} {UserAgent} {Referer} {StatusCode:nat} {Substatus:nat} 
{Win32Status:nat} {ResponseBytes:nat} {RequestBytes:nat} {Elapsed}{:n}"

A nested {@m:= pattern is used to collect a substring of the log line for display as the event's message.

Updating entities

The seqcli * update family of commands make it possible to perform arbitrary updates to many complex entity types.

The update commands, like seqcli signal update shown in the example below, receive an updated JSON representation of an entity via STDIN.

This works particularly well with tools like jq and modern shells with native JSON support, such as PowerShell:

PS > $warnings = (seqcli signal list -i signal-m33302 --json | ConvertFrom-Json)

PS > $warnings.Title                                                                                                                
Warnings

PS > $warnings.Title = "Alarms"

PS > (echo $warnings | ConvertTo-Json) | seqcli signal update --json-stdin        

PS > seqcli signal list -i signal-m33302 --json                                 
{"Title": "Alarms", "Description": "Automatically created", "Filters": [{"De...