Live Search Request

A live search request is similar to the simplie search request. The difference is that a live search request does not complete. Instead, the search returns all the matching records to the client, and then keeps the HTTP request open. As new data is ingested into the repository, matching results are immediately sent to the client.

Important

Live searches can be terminated at any time, and do not work with aggregate functions and operators. For more information on the operation of Live Queries, see Live Search Operation. This may mean that a live query fails, or 'times out' during execution and results may fail to be returned without a clear indication of the reason. Using the Query Job API may lead to a more reliable and reproducible result set. For more information, see Running Query Jobs.

To execute a live search request, add the isLive parameter to the request object with the value true. For example:

Raw
json
{
   "queryString" : "css",
   "isLive" : true
}
Mac OS or Linux (curl)
shell
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{
   "queryString" : "css",
   "isLive" : true
}

EOF
Mac OS or Linux (curl) One-line
shell
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{
   \"isLive\" : true,
   \"queryString\" : \"css\"
}

EOF
Windows Cmd and curl
shell
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{ ^
   \"queryString\" : \"css\", ^
   \"isLive\" : true ^
} ^
 '
Windows Powershell and curl
powershell
curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{
   \"isLive\" : true,
   \"queryString\" : \"css\"
}
'
"https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query"
Perl
perl
#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $INGEST_TOKEN = "TOKEN";

my $uri = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query';

my $json = '{
   \"queryString\" : \"css\",
   \"isLive\" : true
}
';
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";
Python
python
#! /usr/local/bin/python3

import requests

url = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query'
mydata = r'''{
   "isLive" : true,
   "queryString" : "css"
}
'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)
Node.js
javascript
const https = require('https');

const data = JSON.stringify(
    {
   \"isLive\" : true,
   \"queryString\" : \"css\"
}

);


const options = {
  hostname: 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

The results match the filter will be returned instantly, but the HTTP connection will not be closed. Any additional results will be returned as they are ingested:

accesslog
192.168.1.18 - - [09/Mar/2023:17:06:04 +0000] "GET /css-images/book-open.svg HTTP/1.1" 200 339
192.168.1.18 - - [09/Mar/2023:17:06:04 +0000] "GET /css-images/logo-white.svg HTTP/1.1" 200 2275
192.168.1.18 - - [09/Mar/2023:17:06:04 +0000] "GET /css-images/slack.svg HTTP/1.1" 200 999
127.0.0.1 - - [10/Mar/2023:09:43:42 +0000] "GET /theme-home.css HTTP/1.1" 200 70699
...
192.168.1.18 - - [11/Mar/2023:17:06:04 +0000] "GET /css-images/slack.svg HTTP/1.1" 200 999