> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bunny.net/llms.txt
> Use this file to discover all available pages before exploring further.

# Search, filter and group Event Logs for a Shield Zone



## OpenAPI

````yaml https://api.bunny.net/shield/docs/v1/swagger.json post /shield/event-logs/{shieldZoneId}/search
openapi: 3.0.4
info:
  title: Bunny Shield API
  description: >-
    Bunny.net API for Bunny Shield (WAF, DDoS, Rate Limiting, Bot Detection,
    Access Lists & API Guardian).
  version: v1
servers:
  - url: https://api.bunny.net
security: []
paths:
  /shield/event-logs/{shieldZoneId}/search:
    post:
      tags:
        - Event Logs
      summary: Search, filter and group Event Logs for a Shield Zone
      operationId: Search Event Logs
      parameters:
        - name: shieldZoneId
          in: path
          description: The ID of the Shield Zone.
          required: true
          schema:
            type: integer
            description: The ID of the Shield Zone.
            format: int32
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/EventLogsSearchRequest'
          text/json:
            schema:
              $ref: '#/components/schemas/EventLogsSearchRequest'
          application/*+json:
            schema:
              $ref: '#/components/schemas/EventLogsSearchRequest'
      responses:
        '200':
          description: OK
          content:
            text/plain:
              schema:
                $ref: '#/components/schemas/EventLogsSearchResponse'
            application/json:
              schema:
                $ref: '#/components/schemas/EventLogsSearchResponse'
            text/json:
              schema:
                $ref: '#/components/schemas/EventLogsSearchResponse'
        '400':
          description: Bad Request
          content:
            text/plain:
              schema:
                $ref: '#/components/schemas/ProblemDetails'
            application/json:
              schema:
                $ref: '#/components/schemas/ProblemDetails'
            text/json:
              schema:
                $ref: '#/components/schemas/ProblemDetails'
        '401':
          description: Unauthorized
          content:
            text/plain:
              schema:
                $ref: '#/components/schemas/ProblemDetails'
            application/json:
              schema:
                $ref: '#/components/schemas/ProblemDetails'
            text/json:
              schema:
                $ref: '#/components/schemas/ProblemDetails'
        '500':
          description: Internal Server Error
components:
  schemas:
    EventLogsSearchRequest:
      type: object
      properties:
        from:
          type: integer
          description: Window start as Unix time in milliseconds (UTC). Required.
          format: int64
        to:
          type: integer
          description: >-
            Window end as Unix time in milliseconds (UTC). Required; must be
            after
            BunnyNet.Shield.Api.Entities.Waf.WafLogging.EventLogsSearchRequest.from
            and within the last 72 hours.
          format: int64
        query:
          type: string
          description: >-
            Optional free-text search across IP, ruleId, URL, User-Agent and
            rule name.
          nullable: true
        filters:
          type: array
          items:
            $ref: '#/components/schemas/EventLogsFilter'
          description: >-
            Optional filters, combined with AND. Repeated values within one
            filter combine with OR.
          nullable: true
        groupBy:
          type: array
          items:
            type: string
          description: >-
            Optional ordered dimensions to group by, e.g. ["ip","ja4"]. Omit for
            flat rows.

            Allowed: feature, ruleId, ip, ja4, ua, url, asn, country, action.
          nullable: true
        page:
          type: integer
          description: Zero-based page index.
          format: int32
        pageSize:
          type: integer
          description: Page size; clamped to 1–500 (defaults to 50 when unset).
          format: int32
      additionalProperties: false
      description: >-
        Request body for searching a Shield Zone's Event Logs within a time
        window.
    EventLogsSearchResponse:
      type: object
      properties:
        rows:
          type: array
          items:
            $ref: '#/components/schemas/EventRow'
          description: Flat event rows (populated when the request had no groupBy).
          nullable: true
        groups:
          type: array
          items:
            $ref: '#/components/schemas/EventGroup'
          description: Aggregated groups (populated when the request had a groupBy).
          nullable: true
        total:
          type: integer
          description: Total flat rows, or total distinct groups when grouped.
          format: int64
        totalPages:
          type: integer
          description: Total number of pages for the current page size.
          format: int32
        page:
          type: integer
          description: Zero-based index of the returned page.
          format: int32
        errorResponse:
          $ref: '#/components/schemas/GenericRequestResponse'
      additionalProperties: false
      description: >-
        Result of an Event Logs search. Exactly one of
        BunnyNet.Shield.Api.Entities.Waf.WafLogging.EventLogsSearchResponse.rows
        or
        BunnyNet.Shield.Api.Entities.Waf.WafLogging.EventLogsSearchResponse.groups
        is populated.
    ProblemDetails:
      type: object
      properties:
        type:
          type: string
          nullable: true
        title:
          type: string
          nullable: true
        status:
          type: integer
          format: int32
          nullable: true
        detail:
          type: string
          nullable: true
        instance:
          type: string
          nullable: true
      additionalProperties: {}
    EventLogsFilter:
      type: object
      properties:
        field:
          type: string
          description: >-
            Dimension to filter on: feature, ruleId, ip, ja4, ua, url, asn,
            country or action.
          nullable: true
        op:
          type: string
          description: >-
            Operator: eq, in, contains, cidr (ip only, IPv4/IPv6) or wildcard
            ('*' matches any run).
          nullable: true
        value:
          type: array
          items:
            type: string
          description: Value(s) for the filter; multiple values are OR-combined.
          nullable: true
      additionalProperties: false
      description: A single Event Logs filter clause.
    EventRow:
      type: object
      properties:
        logId:
          type: string
          description: Unique event identifier.
          nullable: true
        timestamp:
          type: integer
          description: Event time as Unix time in milliseconds (UTC).
          format: int64
        log:
          description: The full request context for the event (JSON object).
          nullable: true
        fields:
          type: object
          additionalProperties:
            type: string
          description: Resolved dimension values for the event (e.g. ip, ruleId, url, ja4).
          nullable: true
      additionalProperties: false
      description: A single event returned in a flat (ungrouped) search.
    EventGroup:
      type: object
      properties:
        key:
          type: object
          additionalProperties:
            type: string
          description: 'The group key: each requested groupBy dimension mapped to its value.'
          nullable: true
        count:
          type: integer
          description: Number of events in the group.
          format: int64
        firstSeen:
          type: integer
          description: Earliest event time in the group (Unix time in milliseconds, UTC).
          format: int64
        lastSeen:
          type: integer
          description: >-
            Most recent event time in the group (Unix time in milliseconds,
            UTC).
          format: int64
        context:
          type: object
          additionalProperties: {}
          description: >-
            Context aggregates for the group: country, asn, per-action counts
            (blocked/challenged/logged),

            and features/ruleIds touched. Counts are numbers; features/ruleIds
            are comma-joined strings.
          nullable: true
      additionalProperties: false
      description: >-
        An aggregated group of events (returned when the search request
        specifies groupBy).
    GenericRequestResponse:
      type: object
      properties:
        statusCode:
          $ref: '#/components/schemas/HttpStatusCode'
        success:
          type: boolean
          description: Indicates whether the operation was successful.
        message:
          type: string
          description: Human-readable message describing the result of the operation.
          nullable: true
        errorKey:
          type: string
          description: Unique error key for programmatic error handling, if applicable.
          nullable: true
      additionalProperties: false
      description: >-
        Generic response object containing status information for API
        operations.
    HttpStatusCode:
      enum:
        - 100
        - 101
        - 102
        - 103
        - 200
        - 201
        - 202
        - 203
        - 204
        - 205
        - 206
        - 207
        - 208
        - 226
        - 300
        - 301
        - 302
        - 303
        - 304
        - 305
        - 306
        - 307
        - 308
        - 400
        - 401
        - 402
        - 403
        - 404
        - 405
        - 406
        - 407
        - 408
        - 409
        - 410
        - 411
        - 412
        - 413
        - 414
        - 415
        - 416
        - 417
        - 421
        - 422
        - 423
        - 424
        - 426
        - 428
        - 429
        - 431
        - 451
        - 500
        - 501
        - 502
        - 503
        - 504
        - 505
        - 506
        - 507
        - 508
        - 510
        - 511
      type: integer
      description: |-
        100 = Continue
        101 = SwitchingProtocols
        102 = Processing
        103 = EarlyHints
        200 = OK
        201 = Created
        202 = Accepted
        203 = NonAuthoritativeInformation
        204 = NoContent
        205 = ResetContent
        206 = PartialContent
        207 = MultiStatus
        208 = AlreadyReported
        226 = IMUsed
        300 = MultipleChoices
        300 = Ambiguous
        301 = MovedPermanently
        301 = Moved
        302 = Found
        302 = Redirect
        303 = SeeOther
        303 = RedirectMethod
        304 = NotModified
        305 = UseProxy
        306 = Unused
        307 = TemporaryRedirect
        307 = RedirectKeepVerb
        308 = PermanentRedirect
        400 = BadRequest
        401 = Unauthorized
        402 = PaymentRequired
        403 = Forbidden
        404 = NotFound
        405 = MethodNotAllowed
        406 = NotAcceptable
        407 = ProxyAuthenticationRequired
        408 = RequestTimeout
        409 = Conflict
        410 = Gone
        411 = LengthRequired
        412 = PreconditionFailed
        413 = RequestEntityTooLarge
        414 = RequestUriTooLong
        415 = UnsupportedMediaType
        416 = RequestedRangeNotSatisfiable
        417 = ExpectationFailed
        421 = MisdirectedRequest
        422 = UnprocessableEntity
        422 = UnprocessableContent
        423 = Locked
        424 = FailedDependency
        426 = UpgradeRequired
        428 = PreconditionRequired
        429 = TooManyRequests
        431 = RequestHeaderFieldsTooLarge
        451 = UnavailableForLegalReasons
        500 = InternalServerError
        501 = NotImplemented
        502 = BadGateway
        503 = ServiceUnavailable
        504 = GatewayTimeout
        505 = HttpVersionNotSupported
        506 = VariantAlsoNegotiates
        507 = InsufficientStorage
        508 = LoopDetected
        510 = NotExtended
        511 = NetworkAuthenticationRequired
      format: int32
      x-enum-varnames:
        - Continue
        - SwitchingProtocols
        - Processing
        - EarlyHints
        - OK
        - Created
        - Accepted
        - NonAuthoritativeInformation
        - NoContent
        - ResetContent
        - PartialContent
        - MultiStatus
        - AlreadyReported
        - IMUsed
        - MultipleChoices
        - Ambiguous
        - MovedPermanently
        - Moved
        - Found
        - Redirect
        - SeeOther
        - RedirectMethod
        - NotModified
        - UseProxy
        - Unused
        - TemporaryRedirect
        - RedirectKeepVerb
        - PermanentRedirect
        - BadRequest
        - Unauthorized
        - PaymentRequired
        - Forbidden
        - NotFound
        - MethodNotAllowed
        - NotAcceptable
        - ProxyAuthenticationRequired
        - RequestTimeout
        - Conflict
        - Gone
        - LengthRequired
        - PreconditionFailed
        - RequestEntityTooLarge
        - RequestUriTooLong
        - UnsupportedMediaType
        - RequestedRangeNotSatisfiable
        - ExpectationFailed
        - MisdirectedRequest
        - UnprocessableEntity
        - UnprocessableContent
        - Locked
        - FailedDependency
        - UpgradeRequired
        - PreconditionRequired
        - TooManyRequests
        - RequestHeaderFieldsTooLarge
        - UnavailableForLegalReasons
        - InternalServerError
        - NotImplemented
        - BadGateway
        - ServiceUnavailable
        - GatewayTimeout
        - HttpVersionNotSupported
        - VariantAlsoNegotiates
        - InsufficientStorage
        - LoopDetected
        - NotExtended
        - NetworkAuthenticationRequired

````