Coralogix Integration
Connect Coralogix to enable the AI agent to search logs, query metrics, review alerts, and automatically investigate triggered alerts during incident response.
Capabilities
Once connected, the AI agent can:
| Capability | Description |
|---|---|
| Query Logs | Search logs using DataPrime query language with time range and tier filters |
| Query Metrics | Run PromQL queries for instant and range metric queries |
| List Alerts | View all configured alert definitions and their status |
| Get Alert Details | Retrieve full configuration of a specific alert |
| Alert Webhooks | Automatically create investigations when Coralogix alerts trigger |
Prerequisites
- A Coralogix account with API access
- A Coralogix API Key — either a Personal API Key (recommended, full access) or a Team API Key (metrics only)
- Knowledge of your Coralogix region
Setup
- Log in to your Coralogix account
- For full access (logs, alerts, metrics): Navigate to Settings > Personal API Keys and create a key with the Alerts and DataQuerying presets
- For metrics only: You can use a Team API Key from Settings > API Keys
- Copy the key value
Check your Coralogix login URL to determine your region:
| Region | Login Domain |
|---|---|
| EU1 | coralogix.com |
| US1 | coralogix.us |
| US2 | cx498.coralogix.com |
| EU2 | eu2.coralogix.com |
| AP1 (India) | coralogix.in |
| AP2 (Singapore) | coralogixsg.com |
| AP3 | ap3.coralogix.com |
- Go to Integrations in Autoheal
- Click Coralogix
- Enter a name (e.g., "Production Coralogix")
Enter the following:
- API Key: Your Coralogix API Key (Personal or Team)
- Region: Select your Coralogix region from the dropdown
Click Test Connection to verify, then Save.
Required Permissions
The test connection will pass if the API key can access at least one of the following endpoints: Alerts, DataPrime (logs), or Metrics.
Personal API Key (recommended — full access)
| Permission Preset | Capabilities |
|---|---|
Alerts | List and view alert definitions |
DataQuerying | Query logs via DataPrime and metrics via PromQL |
Team API Key (limited — metrics only)
Team API Keys can access the metrics endpoint but cannot query logs or alerts. The test connection will pass, but only coralogix_query_metrics will work.
For full functionality, create a dedicated Personal API Key with the Alerts and DataQuerying presets. Avoid using keys with write or admin permissions.
Example Queries
Once connected, you can ask the AI agent questions like:
Search for error logs in the payment service over the last hour
Show me the CPU utilization metrics for the last 30 minutes
What alerts are currently configured for production?
Query logs where severity is Error and namespace is production
DataPrime Query Syntax
Coralogix uses the DataPrime query language for log searches. Some common patterns:
source logs | filter $d.severity == 'Error' | limit 100
source logs | filter $d.kubernetes.namespace_name == 'production' | limit 50
source logs | filter $d.service_name == 'api-gateway' && $d.status_code >= 500 | limit 25
Alert Webhooks (Alert Source)
Coralogix can also act as an alert source, automatically creating investigations when alerts trigger. This is configured separately from the data source capabilities above.
Setting Up Alert Webhooks
- Go to your Coralogix integration in Autoheal
- Navigate to the Alert Source tab
- Enable webhooks and copy the Webhook URL
- In Coralogix, go to Integrations > Webhooks > Outbound Webhooks
- Click Add on the Generic Webhook card
- Enter a name (e.g., "Autoheal")
- Paste the Webhook URL from Autoheal
- Keep the default body template as-is — no customization needed
- Save the webhook
- In the Generic Webhook configuration, go to Alert Notifications
- Select the alerts you want to trigger investigations for
- Save the configuration
Only alerts with alert_action: "trigger" will create investigations. Resolve actions are acknowledged but skipped to avoid duplicate investigations.
Coralogix outbound webhooks do not support HMAC signature verification. Authentication relies on the unique secret embedded in the webhook URL.
Webhook Response Codes
| HTTP Status | Response Body | Meaning |
|---|---|---|
| 200 OK | {"status": "processed", "investigation_id": "...", "investigation_url": "..."} | Alert received and investigation created |
| 200 OK | {"status": "skipped"} | Alert received but action was resolve — no investigation needed |
| 400 Bad Request | {"code": 11002, "message": "Webhook payload invalid"} | Payload is not valid JSON |
| 404 Not Found | {"code": 10000, "message": "Integration not found"} | Webhook URL secret is incorrect or webhook is disabled |
Successful trigger delivery:
{
"status": "processed",
"investigation_id": "71b5f2a7-1981-494d-a04f-3df7262e6184",
"investigation_url": "https://your-tenant.autoheal.dev/investigation/71b5f2a7-1981-494d-a04f-3df7262e6184"
}
Resolve action (skipped):
{
"status": "skipped"
}
Troubleshooting
403 Forbidden / Missing Permissions
- Team API Keys only support metrics queries. If you need log search or alert access, use a Personal API Key with the Alerts and DataQuerying presets.
- Personal API Keys: Verify the key has the required permission presets (Alerts and DataQuerying) in Settings > Personal API Keys.
- Ensure you selected the correct region matching your Coralogix account.
No Data Returned
- Verify the time range includes data
- Check that the DataPrime query syntax is correct
- Ensure data exists in the selected tier (Frequent Search vs Archive)
Wrong Region
- Check your Coralogix login URL to identify your region
- For example, if you log in at
app.cx498.coralogix.com, selectcx498.coralogix.com
Connection Timeout
- Check your region selection
- Verify network connectivity to Coralogix APIs
- Large queries may take longer — try adding
| limitto your DataPrime queries
Webhook Not Creating Investigations
- Verify the webhook is enabled in the Autoheal integration settings
- Check that the Webhook URL in Coralogix matches exactly (including the secret)
- Ensure the alert is attached to the Generic Webhook in Coralogix
- Only
triggeractions create investigations —resolveactions are skipped by design