Simple Search Request

To start a query, POST the query:

Description Submit a search query
MethodPOST /api/v1/repositories/repo/query
Request DataQueryJobInput
Response DataQueryResponse
Authentication Requiredyes
Path ArgumentsDescriptionData typeRequired?
repo Name of repository to be searched stringrequired
Return Codes
200 Request complete
400 Request is malformed and either missing critical fields or the JSON is badly structured
500 Request failed

When using the endpoint, you must have a suitable access token for the data, either a repository token or a personal token, that has read access for the corresponding repository. See Tokens in LogScale.

The JSON request body supports the following attributes:


allowEventSkippingboolean false If set to true, events in the result skipped will be skipped if not retrieved.
arguments   Dictionary of arguments specified in queries with ?param or ?{param=defaultValue} syntax. Provided arguments must be a simple dictionary of string values. If an argument is given explicitly as in ?query(param=value) then that value overrides values provided here.
endrelative-time   The end date and time. This parameter tells LogScale not to return results from after this date and time. See Search API Time Specification,
ingestEndrelative-time   Specifies the end time based on when the data was ingested.
ingestStartrelative-time   Specifies the start time based on when the data was ingested.
isLiveboolean false Sets whether this query is live. Defaults to false. Live queries are continuously updated.
languageVersionstring   The version of the query language to use
queryStringstringYes  The actual query. See Query Language Syntax for details.
timeZoneOffsetMinutesinteger   Set the time zone offset used for bucket() and timechart() time slices, which is significant if the corresponding span is multiples of days. Defaults to 0 (UTC); positive numbers are to the east of UTC, so for UTC+01:00 timezone the value 60 should be passed.

For example, to execute a basic query from the command line:

   "queryString" : "css|head(5)"
Mac OS or Linux (curl)
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "{
   \"queryString\" : \"css|head(5)\"
Mac OS or Linux (curl) One-line
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "{
   \"queryString\" : \"css|head(5)\"
Windows Cmd and curl
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "{ ^
   \"queryString\" : \"css|head(5)\" ^
} ^
" ^
} '
Windows Powershell and curl
curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "{
   \"queryString\" : \"css|head(5)\"

use HTTP::Request;
use LWP;
my $TOKEN = "TOKEN";
my $uri = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query';
my $json = '{"query" : "{
   \"queryString\" : \"css|head(5)\"
my $req = HTTP::Request->new("POST", $uri );
$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");
$req->content( $json );
my $lwp = LWP::UserAgent->new;
my $result = $lwp->request( $req );
print $result->{"_content"},"\n";
#! /usr/local/bin/python3

import requests

url = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query'
mydata = r'''{"query" : "{
   \"queryString\" : \"css|head(5)\"

resp =,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"

const https = require('https');

const data = JSON.stringify(
    {"query" : "{
   \"queryString\" : \"css|head(5)\"

const options = {
  hostname: 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  res.on('end', () => {

req.on('error', (error) => {

accesslog - - [10/Mar/2023:09:43:45 +0000] "GET /css-images/cpu.svg HTTP/1.1" 200 667 - - [09/Mar/2023:17:06:04 +0000] "GET /css-images/database.svg HTTP/1.1" 200 372 - - [10/Mar/2023:09:43:45 +0000] "GET /css-images/trello.svg HTTP/1.1" 200 373 - - [10/Mar/2023:09:43:45 +0000] "GET /css-images/box.svg HTTP/1.1" 200 462

The results are sent back by default as raw text, i.e. not embedded in a JSON or other structure.

The connection will be closed once the results have been returned, and the returned data will match the supplied query at the time of execution.

Triggering Direct Download of the Results

If you use this API from a browser application, you may want to trigger direct download. You can achieve this by adding the HTTP header X-Desired-Filename to the request. That will result in the response having the header Content-Disposition with the value attachment; filename=\"DESIRED_FILE_NAME\".