Creating a Query Job

To create a query through the Query Jobs interface you must submit a POST:

Description Create a query job  
MethodPOST /api/v1/repositories/repo/queryjobs 
Request DataQueryInputJob 
Response DataQueryResults 
Authentication Requiredyes 
Path ArgumentsDescriptionData typeRequired?
repo Name of repository to be searched stringrequired
Return Codes 
200 Request complete  
400 Request is malformed and either missing critical fields or the JSON is badly structured  
500 Request failed  

The JSON request body supports the following attributes:

Table: QueryInput JSON Object Fields

FieldTypeRequired?DefaultDescription
allowEventSkippingboolean false If set to true, events in the result skipped will be skipped if not retrieved.
arguments   Dictionary of arguments specified in queries with ?param or ?{param=defaultValue} syntax. Provided arguments must be a simple dictionary of string values. If an argument is given explicitly as in ?query(param=value) then that value overrides values provided here.
around   Used to define the pagination of events in the result set within the given query when using pagination. Used for cursor-based paginating of filter query result. This cannot be used with aggregate results as all rows are always returned. For more information see api-search-request-around
        eventIdstringYes  The ID of the event to use as the reference point
        numberOfEventsAfterintegerYes  Number of events to show after the eventId
        numberOfEventsBeforeintegerYes  Number of events to show before the eventId
        timestampintegerYes  The timestamp to use as the reference for pagination.
autobucketCountinteger   Determines the number of buckets the system should create during live query searches, when no other explicit bucketing aggregate is specified (such as bucket(), timechart()). Higher autobucket counts means finer granularity, but at the cost of increased memory usage during search. Default value: 90
endrelative-time   The end date and time. This parameter tells LogScale not to return results from after this date and time. See how to specify a time.
ingestEndrelative-time   Specifies the end time based on when the data was ingested.
ingestStartrelative-time   Specifies the start time based on when the data was ingested.
isAlertQueryboolean   Indicates whether the query comes from an alert or not.
isInteractiveboolean false Whether the search is being run interactively, i.e., from with the LogScale or another UI.
isLiveboolean false Sets whether this query is live. Defaults to false . Live queries are continuously updated.
languageVersionstring   The version of the query language to use
queryStringstringYes  The actual query. See Query Language Syntax for details.
showQueryEventDistributionboolean false If true LogScale will return an additional resultset containing a histogram of the number of events over the time interval. This field is deprecated. Use results instead. If both this field an results is specified, results takes precedence.
startrelative-time   The start date and time. This parameter tells LogScale not to return results from before this date and time. See how to specify a time.
timeZonestring   The timezone to be used when returning dates.
timeZoneOffsetMinutesinteger   Set the time zone offset used for bucket() and timeChart() time slices, which is significant if the corresponding span is multiples of days. Defaults to 0 (UTC); positive numbers are to the east of UTC, so for UTC+01:00 timezone the value 60 should be passed.
useIngestTimeboolean false When set to true, uses the ingest time rather than event timestamp as the basis for the time span.

The request for the query matches the simple query JSON fields. See Simple Search Request for more information on the supported arguments.

Raw
json
{
   "queryString" : "",
   "start" : "1d",
   "isLive" : false,
   "showQueryEventDistribution" : true
}
Mac OS or Linux (curl)
shell
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/queryjobs \
    -H "Accept: application/json" \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{
   "isLive" : false,
   "start" : "1d",
   "queryString" : "",
   "showQueryEventDistribution" : true
}

EOF
Mac OS or Linux (curl) One-line
shell
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/queryjobs \
    -H "Accept: application/json" \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{
   \"showQueryEventDistribution\" : true,
   \"queryString\" : \"\",
   \"isLive\" : false,
   \"start\" : \"1d\"
}

EOF
Windows Cmd and curl
shell
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/queryjobs ^
    -H "Accept: application/json" ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{ ^
   \"showQueryEventDistribution\" : true, ^
   \"start\" : \"1d\", ^
   \"isLive\" : false, ^
   \"queryString\" : \"\" ^
} ^
 '
Windows Powershell and curl
powershell
curl.exe -X POST 
    -H "Accept: application/json"
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{
   \"queryString\" : \"\",
   \"start\" : \"1d\",
   \"isLive\" : false,
   \"showQueryEventDistribution\" : true
}
'
    "https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/queryjobs"
Perl
perl
#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $INGEST_TOKEN = "TOKEN";

my $uri = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/queryjobs';

my $json = '{
   \"isLive\" : false,
   \"start\" : \"1d\",
   \"queryString\" : \"\",
   \"showQueryEventDistribution\" : true
}
';
my $req = HTTP::Request->new("POST", $uri );

$req->header("Accept" => "application/json");
$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";
Python
python
#! /usr/local/bin/python3

import requests

url = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/queryjobs'
mydata = r'''{
   "queryString" : "",
   "isLive" : false,
   "start" : "1d",
   "showQueryEventDistribution" : true
}
'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Accept" : "application/json",
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)
Node.js
javascript
const https = require('https');

const data = JSON.stringify(
    {
   \"queryString\" : \"\",
   \"start\" : \"1d\",
   \"isLive\" : false,
   \"showQueryEventDistribution\" : true
}

);


const options = {
  hostname: 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/queryjobs',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

When creating a query job, an ID is returned that identified the query job. The id field indicates the {id} for the query, which you can then poll using the HTTP GET method (see Polling a Query Job).

http
{
   "hashedQueryOnView" : "4ab13fa1",
   "id" : "P15-uoxCpi2DFJDFTAkHXLyYL8bN"
}

The returned JSON uses the following schema:

Table: Metadata JSON Object Fields

FieldTypeDescription
hashedQueryOnViewstring A string hash of the optimized query (the "query plan"). For advanced users.
idstring The id of the started queryjob. This can be used to poll results.
queryOnViewstring A string representation of the optimized query (the "query plan"). For advanced users.
staticMetaData If provided, indicates that the backend is running the query in a special mode, and may include information about the reason for selecting that mode.
        executionMode  The execution mode of the query.

An OpenAPI specification for this interface is available: Download it here. This can be used with a number of languages to build clients for this data.