sumologic-query 1.3.4 → 1.4.0

data/lib/sumologic/cli/commands/get_monitor_command.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require_relative 'base_command'
+
+module Sumologic
+  class CLI < Thor
+    module Commands
+      # Handles the get-monitor command execution
+      class GetMonitorCommand < BaseCommand
+        def execute
+          monitor_id = options[:monitor_id]
+          warn "Fetching monitor #{monitor_id}..."
+          monitor = client.get_monitor(monitor_id: monitor_id)
+
+          output_json(monitor)
+        end
+      end
+    end
+  end
+end

data/lib/sumologic/cli/commands/list_apps_command.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require_relative 'base_command'
+
+module Sumologic
+  class CLI < Thor
+    module Commands
+      # Handles the list-apps command execution
+      class ListAppsCommand < BaseCommand
+        def execute
+          warn 'Fetching app catalog...'
+          apps = client.list_apps
+
+          output_json(
+            total: apps.size,
+            apps: apps
+          )
+        end
+      end
+    end
+  end
+end

data/lib/sumologic/cli/commands/list_collectors_command.rb

@@ -13,7 +13,7 @@ module Sumologic
 
           output_json(
             total: collectors.size,
-            collectors: collectors.map { |c| format_collector(c) }
+            collectors: collectors
           )
         end
       end

data/lib/sumologic/cli/commands/list_dashboards_command.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require_relative 'base_command'
+
+module Sumologic
+  class CLI < Thor
+    module Commands
+      # Handles the list-dashboards command execution
+      class ListDashboardsCommand < BaseCommand
+        def execute
+          warn 'Fetching dashboards...'
+          dashboards = client.list_dashboards(limit: options[:limit] || 100)
+
+          output_json(
+            total: dashboards.size,
+            dashboards: dashboards
+          )
+        end
+      end
+    end
+  end
+end

data/lib/sumologic/cli/commands/list_fields_command.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require_relative 'base_command'
+
+module Sumologic
+  class CLI < Thor
+    module Commands
+      # Handles the list-fields command execution
+      class ListFieldsCommand < BaseCommand
+        def execute
+          if options[:builtin]
+            warn 'Fetching built-in fields...'
+            fields = client.list_builtin_fields
+          else
+            warn 'Fetching custom fields...'
+            fields = client.list_fields
+          end
+
+          output_json(
+            total: fields.size,
+            fields: fields
+          )
+        end
+      end
+    end
+  end
+end

data/lib/sumologic/cli/commands/list_folders_command.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+require_relative 'base_command'
+
+module Sumologic
+  class CLI < Thor
+    module Commands
+      # Handles the list-folders command execution
+      class ListFoldersCommand < BaseCommand
+        def execute
+          if options[:tree]
+            fetch_tree
+          elsif options[:folder_id]
+            fetch_folder
+          else
+            fetch_personal
+          end
+        end
+
+        private
+
+        def fetch_personal
+          warn 'Fetching personal folder...'
+          folder = client.personal_folder
+          output_folder_with_children(folder)
+        end
+
+        def fetch_folder
+          folder_id = options[:folder_id]
+          warn "Fetching folder #{folder_id}..."
+          folder = client.get_folder(folder_id: folder_id)
+          output_folder_with_children(folder)
+        end
+
+        def fetch_tree
+          folder_id = options[:folder_id]
+          max_depth = options[:depth] || 3
+
+          if folder_id
+            warn "Fetching folder tree for #{folder_id} (depth: #{max_depth})..."
+          else
+            warn "Fetching personal folder tree (depth: #{max_depth})..."
+          end
+
+          tree = client.folder_tree(folder_id: folder_id, max_depth: max_depth)
+          output_json(tree)
+        end
+
+        def output_folder_with_children(folder)
+          output_json(folder)
+        end
+      end
+    end
+  end
+end

data/lib/sumologic/cli/commands/list_health_events_command.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require_relative 'base_command'
+
+module Sumologic
+  class CLI < Thor
+    module Commands
+      # Handles the list-health-events command execution
+      class ListHealthEventsCommand < BaseCommand
+        def execute
+          warn 'Fetching health events...'
+          events = client.list_health_events(limit: options[:limit] || 100)
+
+          output_json(
+            total: events.size,
+            healthEvents: events
+          )
+        end
+      end
+    end
+  end
+end

data/lib/sumologic/cli/commands/list_monitors_command.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require_relative 'base_command'
+
+module Sumologic
+  class CLI < Thor
+    module Commands
+      # Handles the list-monitors command execution
+      # Uses the monitors search API for flat, filterable results
+      class ListMonitorsCommand < BaseCommand
+        def execute
+          warn 'Fetching monitors...'
+          monitors = client.list_monitors(
+            query: options[:query],
+            status: options[:status],
+            limit: options[:limit] || 100
+          )
+
+          output_json(
+            total: monitors.size,
+            monitors: monitors
+          )
+        end
+      end
+    end
+  end
+end

data/lib/sumologic/cli/commands/list_sources_command.rb

@@ -24,7 +24,7 @@ module Sumologic
           output_json(
             collector_id: options[:collector_id],
             total: sources.size,
-            sources: sources.map { |s| format_source(s) }
+            sources: sources
           )
         end
 
@@ -37,16 +37,9 @@ module Sumologic
           output_json(
             total_collectors: all_sources.size,
             total_sources: all_sources.sum { |c| c['sources'].size },
-            data: all_sources.map { |item| format_collector_with_sources(item) }
+            data: all_sources
           )
         end
-
-        def format_collector_with_sources(item)
-          {
-            collector: item['collector'],
-            sources: item['sources'].map { |s| format_source(s) }
-          }
-        end
       end
     end
   end

data/lib/sumologic/cli/commands/search_command.rb

@@ -52,36 +52,74 @@ module Sumologic
         end
 
         def perform_search
-          client.search(
-            query: options[:query],
-            from_time: @parsed_from,
-            to_time: @parsed_to,
-            time_zone: @parsed_timezone,
-            limit: options[:limit]
-          )
+          if aggregate_mode?
+            client.search_aggregation(
+              query: options[:query],
+              from_time: @parsed_from,
+              to_time: @parsed_to,
+              time_zone: @parsed_timezone,
+              limit: options[:limit]
+            )
+          else
+            client.search(
+              query: options[:query],
+              from_time: @parsed_from,
+              to_time: @parsed_to,
+              time_zone: @parsed_timezone,
+              limit: options[:limit]
+            )
+          end
+        end
+
+        def aggregate_mode?
+          options[:aggregate] || aggregation_query?(options[:query])
+        end
+
+        def aggregation_query?(query)
+          query.match?(/\|\s*(count|sum|avg|min|max|pct|first|last|group)\b/i)
         end
 
         def display_results_summary(results)
+          result_type = aggregate_mode? ? 'records' : 'messages'
           warn '=' * 60
-          warn "Results: #{results.size} messages"
+          warn "Results: #{results.size} #{result_type}"
           warn '=' * 60
           $stderr.puts
         end
 
         def output_search_results(results)
-          output_json(
-            query: options[:query],
-            from: @parsed_from,
-            to: @parsed_to,
-            from_original: @original_from,
-            to_original: @original_to,
-            time_zone: @parsed_timezone,
-            message_count: results.size,
-            messages: results
-          )
+          if aggregate_mode?
+            output_json(
+              query: options[:query],
+              from: @parsed_from,
+              to: @parsed_to,
+              from_original: @original_from,
+              to_original: @original_to,
+              time_zone: @parsed_timezone,
+              record_count: results.size,
+              records: results
+            )
+          else
+            output_json(
+              query: options[:query],
+              from: @parsed_from,
+              to: @parsed_to,
+              from_original: @original_from,
+              to_original: @original_to,
+              time_zone: @parsed_timezone,
+              message_count: results.size,
+              messages: results
+            )
+          end
         end
 
         def launch_interactive_mode(results)
+          if aggregate_mode?
+            warn 'Interactive mode is not supported for aggregation queries'
+            output_search_results(results)
+            return
+          end
+
           require_relative '../../interactive'
 
           formatted_results = build_formatted_results(results)

data/lib/sumologic/cli.rb

@@ -5,11 +5,23 @@ require 'json'
 require_relative 'cli/commands/search_command'
 require_relative 'cli/commands/list_collectors_command'
 require_relative 'cli/commands/list_sources_command'
+require_relative 'cli/commands/discover_source_metadata_command'
+require_relative 'cli/commands/list_monitors_command'
+require_relative 'cli/commands/get_monitor_command'
+require_relative 'cli/commands/list_folders_command'
+require_relative 'cli/commands/list_dashboards_command'
+require_relative 'cli/commands/get_dashboard_command'
+require_relative 'cli/commands/list_health_events_command'
+require_relative 'cli/commands/list_fields_command'
+require_relative 'cli/commands/get_lookup_command'
+require_relative 'cli/commands/list_apps_command'
+require_relative 'cli/commands/get_content_command'
+require_relative 'cli/commands/export_content_command'
 
 module Sumologic
   # Thor-based CLI for Sumo Logic query tool
   # Delegates commands to specialized command classes
-  class CLI < Thor
+  class CLI < Thor # rubocop:disable Metrics/ClassLength
     class_option :debug, type: :boolean, aliases: '-d', desc: 'Enable debug output'
     class_option :output, type: :string, aliases: '-o', desc: 'Output file (default: stdout)'
 
@@ -33,6 +45,10 @@ module Sumologic
         • Unix timestamp: '1700000000' (seconds since epoch)
         • ISO 8601: '2025-11-13T14:00:00'
 
+      Aggregation Mode (--aggregate):
+        Use --aggregate (-a) for queries with count, sum, avg, group by, etc.
+        Returns aggregation records instead of raw log messages.
+
       Examples:
         # Last 30 minutes
         sumo-query search --query 'error' --from '-30m' --to 'now'
@@ -52,6 +68,14 @@ module Sumologic
         # Interactive mode with FZF
         sumo-query search --query 'error' \\
           --from '-1h' --to 'now' --interactive
+
+        # Aggregation query (count by source)
+        sumo-query search --query '* | count by _sourceCategory' \\
+          --from '-1h' --to 'now' --aggregate
+
+        # Top errors by count
+        sumo-query search --query 'error | count by _sourceHost | top 10' \\
+          --from '-24h' --to 'now' --aggregate
     DESC
     option :query, type: :string, required: true, aliases: '-q', desc: 'Search query'
     option :from, type: :string, required: true, aliases: '-f', desc: 'Start time (now, -30m, unix timestamp, ISO 8601)'
@@ -59,6 +83,7 @@ module Sumologic
     option :time_zone, type: :string, default: 'UTC', aliases: '-z',
                        desc: 'Time zone (UTC, EST, AEST, +00:00, America/New_York, Australia/Sydney)'
     option :limit, type: :numeric, aliases: '-l', desc: 'Maximum messages to return'
+    option :aggregate, type: :boolean, aliases: '-a', desc: 'Return aggregation records (for count/group by queries)'
     option :interactive, type: :boolean, aliases: '-i', desc: 'Launch interactive browser (requires fzf)'
     def search
       Commands::SearchCommand.new(options, create_client).execute
@@ -91,6 +116,299 @@ module Sumologic
       Commands::ListSourcesCommand.new(options, create_client).execute
     end
 
+    desc 'discover-source-metadata', 'Discover source metadata from log data using search aggregation'
+    long_desc <<~DESC
+      Discovers source metadata from actual log data using search aggregation.
+      Useful for CloudWatch/ECS/Lambda sources with dynamic _sourceName values
+      that are not visible in the Collectors API.
+
+      Note: This is not an official Sumo Logic API. It runs the search query:
+        * | count by _sourceName, _sourceCategory | sort by _count desc
+      This is a well-known technique in the Sumo Logic community to discover
+      runtime sources, complementing the static source configuration from
+      the Collectors API (list-sources).
+
+      Time Formats:
+        --from and --to support multiple formats:
+        • 'now' - current time
+        • Relative: '-30s', '-5m', '-2h', '-7d', '-1w', '-1M' (sec/min/hour/day/week/month)
+        • Unix timestamp: '1700000000' (seconds since epoch)
+        • ISO 8601: '2025-11-13T14:00:00'
+
+      Examples:
+        # Discover all sources from last 24 hours (default)
+        sumo-query discover-source-metadata
+
+        # Discover sources from last 7 days
+        sumo-query discover-source-metadata --from '-7d' --to 'now'
+
+        # Filter by source category (ECS only)
+        sumo-query discover-source-metadata --filter '_sourceCategory=*ecs*'
+
+        # Discover CloudWatch sources
+        sumo-query discover-source-metadata --filter '_sourceCategory=*cloudwatch*'
+
+        # Save to file
+        sumo-query discover-source-metadata --output discovered-sources.json
+    DESC
+    option :from, type: :string, default: '-24h', aliases: '-f',
+                  desc: 'Start time (default: -24h)'
+    option :to, type: :string, default: 'now', aliases: '-t',
+                desc: 'End time (default: now)'
+    option :time_zone, type: :string, default: 'UTC', aliases: '-z',
+                       desc: 'Time zone (UTC, EST, AEST, +00:00, America/New_York, Australia/Sydney)'
+    option :filter, type: :string, desc: 'Optional filter query (e.g., _sourceCategory=*ecs*)'
+    def discover_source_metadata
+      Commands::DiscoverSourceMetadataCommand.new(options, create_client).execute
+    end
+
+    # ============================================================
+    # Monitors Commands
+    # ============================================================
+
+    desc 'list-monitors', 'List monitors with optional status and query filters'
+    long_desc <<~DESC
+      List monitors in your Sumo Logic account using the search API.
+      Supports filtering by monitor status and text query.
+
+      Status Values:
+        Normal, Critical, Warning, MissingData, Disabled, AllTriggered
+
+      Examples:
+        # List all monitors
+        sumo-query list-monitors
+
+        # List only critical monitors
+        sumo-query list-monitors --status Critical
+
+        # List all currently triggered monitors
+        sumo-query list-monitors --status AllTriggered
+
+        # Search monitors by name
+        sumo-query list-monitors --query "prod"
+
+        # Combine status and query filters
+        sumo-query list-monitors --status Warning --query "latency"
+
+        # Save to file
+        sumo-query list-monitors --output monitors.json
+    DESC
+    option :limit, type: :numeric, aliases: '-l', default: 100, desc: 'Maximum monitors to return'
+    option :status, type: :string, aliases: '-s',
+                    desc: 'Filter by status (Normal, Critical, Warning, MissingData, Disabled, AllTriggered)'
+    option :query, type: :string, aliases: '-q', desc: 'Search query to filter monitors'
+    def list_monitors
+      Commands::ListMonitorsCommand.new(options, create_client).execute
+    end
+
+    desc 'get-monitor', 'Get a specific monitor by ID'
+    long_desc <<~DESC
+      Get detailed information about a specific monitor.
+
+      Example:
+        sumo-query get-monitor --monitor-id 0000000000123456
+    DESC
+    option :monitor_id, type: :string, required: true, desc: 'Monitor ID'
+    # rubocop:disable Naming/AccessorMethodName -- Thor CLI command, not a getter
+    def get_monitor
+      Commands::GetMonitorCommand.new(options, create_client).execute
+    end
+    # rubocop:enable Naming/AccessorMethodName
+
+    # ============================================================
+    # Folders Commands (Content Library)
+    # ============================================================
+
+    desc 'list-folders', 'List folders in content library'
+    long_desc <<~DESC
+      List folders in the Sumo Logic content library.
+      By default, shows your personal folder.
+
+      Examples:
+        # List personal folder contents
+        sumo-query list-folders
+
+        # List specific folder
+        sumo-query list-folders --folder-id 0000000000123456
+
+        # Get folder tree (recursive)
+        sumo-query list-folders --tree --depth 3
+
+        # Save to file
+        sumo-query list-folders --output folders.json
+    DESC
+    option :folder_id, type: :string, desc: 'Folder ID to list (default: personal folder)'
+    option :tree, type: :boolean, desc: 'Fetch recursive tree structure'
+    option :depth, type: :numeric, default: 3, desc: 'Maximum tree depth (default: 3)'
+    def list_folders
+      Commands::ListFoldersCommand.new(options, create_client).execute
+    end
+
+    # ============================================================
+    # Dashboards Commands
+    # ============================================================
+
+    desc 'list-dashboards', 'List all dashboards'
+    long_desc <<~DESC
+      List all dashboards in your Sumo Logic account.
+
+      Examples:
+        # List all dashboards
+        sumo-query list-dashboards
+
+        # List dashboards with limit
+        sumo-query list-dashboards --limit 50
+
+        # Save to file
+        sumo-query list-dashboards --output dashboards.json
+    DESC
+    option :limit, type: :numeric, aliases: '-l', default: 100, desc: 'Maximum dashboards to return'
+    def list_dashboards
+      Commands::ListDashboardsCommand.new(options, create_client).execute
+    end
+
+    desc 'get-dashboard', 'Get a specific dashboard by ID'
+    long_desc <<~DESC
+      Get detailed information about a specific dashboard including panels.
+
+      Example:
+        sumo-query get-dashboard --dashboard-id 0000000000123456
+    DESC
+    option :dashboard_id, type: :string, required: true, desc: 'Dashboard ID'
+    # rubocop:disable Naming/AccessorMethodName -- Thor CLI command, not a getter
+    def get_dashboard
+      Commands::GetDashboardCommand.new(options, create_client).execute
+    end
+    # rubocop:enable Naming/AccessorMethodName
+
+    # ============================================================
+    # Health Events Commands
+    # ============================================================
+
+    desc 'list-health-events', 'List health events for collectors, sources, and ingest budgets'
+    long_desc <<~DESC
+      List health events from your Sumo Logic account.
+      Shows collector, source, and ingest budget health status.
+
+      Examples:
+        # List health events
+        sumo-query list-health-events
+
+        # Save to file
+        sumo-query list-health-events --output health.json
+    DESC
+    option :limit, type: :numeric, aliases: '-l', default: 100, desc: 'Maximum events to return'
+    def list_health_events
+      Commands::ListHealthEventsCommand.new(options, create_client).execute
+    end
+
+    # ============================================================
+    # Fields Commands
+    # ============================================================
+
+    desc 'list-fields', 'List custom or built-in log fields'
+    long_desc <<~DESC
+      List fields available in your Sumo Logic account.
+      By default, lists custom fields. Use --builtin for built-in fields.
+
+      Examples:
+        # List custom fields
+        sumo-query list-fields
+
+        # List built-in fields
+        sumo-query list-fields --builtin
+
+        # Save to file
+        sumo-query list-fields --output fields.json
+    DESC
+    option :builtin, type: :boolean, desc: 'List built-in fields instead of custom fields'
+    def list_fields
+      Commands::ListFieldsCommand.new(options, create_client).execute
+    end
+
+    # ============================================================
+    # Lookup Tables Commands
+    # ============================================================
+
+    desc 'get-lookup', 'Get a specific lookup table by ID'
+    long_desc <<~DESC
+      Get detailed information about a specific lookup table.
+      Note: There is no list-all endpoint for lookup tables in the Sumo Logic API.
+
+      Example:
+        sumo-query get-lookup --lookup-id 0000000000123456
+    DESC
+    option :lookup_id, type: :string, required: true, desc: 'Lookup table ID'
+    # rubocop:disable Naming/AccessorMethodName -- Thor CLI command, not a getter
+    def get_lookup
+      Commands::GetLookupCommand.new(options, create_client).execute
+    end
+    # rubocop:enable Naming/AccessorMethodName
+
+    # ============================================================
+    # Apps Commands (Catalog)
+    # ============================================================
+
+    desc 'list-apps', 'List available apps from the Sumo Logic catalog'
+    long_desc <<~DESC
+      List apps available in the Sumo Logic app catalog.
+      Note: This lists the catalog of available apps, not installed apps.
+
+      Examples:
+        # List all available apps
+        sumo-query list-apps
+
+        # Save to file
+        sumo-query list-apps --output apps.json
+    DESC
+    def list_apps
+      Commands::ListAppsCommand.new(options, create_client).execute
+    end
+
+    # ============================================================
+    # Content Library Commands (path-based)
+    # ============================================================
+
+    desc 'get-content', 'Get a content item by its library path'
+    long_desc <<~DESC
+      Look up a content item in the Sumo Logic content library by its path.
+      Returns the item ID, type, name, and parent folder.
+
+      Examples:
+        # Get content by path
+        sumo-query get-content --path '/Library/Users/me/My Saved Search'
+
+        # Save to file
+        sumo-query get-content --path '/Library/Users/me/Dashboard' --output content.json
+    DESC
+    option :path, type: :string, required: true, aliases: '-p', desc: 'Content library path'
+    # rubocop:disable Naming/AccessorMethodName -- Thor CLI command, not a getter
+    def get_content
+      Commands::GetContentCommand.new(options, create_client).execute
+    end
+    # rubocop:enable Naming/AccessorMethodName
+
+    desc 'export-content', 'Export a content item as JSON'
+    long_desc <<~DESC
+      Export a content library item (search, dashboard, folder) as JSON.
+      Handles the async export job automatically (start, poll, fetch result).
+
+      Examples:
+        # Export by content ID
+        sumo-query export-content --content-id 0000000000123456
+
+        # Save export to file
+        sumo-query export-content --content-id 0000000000123456 --output export.json
+    DESC
+    option :content_id, type: :string, required: true, desc: 'Content item ID to export'
+    def export_content
+      Commands::ExportContentCommand.new(options, create_client).execute
+    end
+
+    # ============================================================
+    # Utility Commands
+    # ============================================================
+
     desc 'version', 'Show version information'
     def version
       puts "sumo-query version #{Sumologic::VERSION}"