Simple Search Request

Important

Running Query Jobs is the recommended method for running queries. The simple search request is can be useful for short, tightly bounded queries where the timepan and returned dataset is small. For longer runnning queries, especially when accessing data that may be stored onbucket storage or requires complex aggregate calculations, query jobs is the better approach.

To start a query, POST the query:

Description Submit a search query  
MethodPOST /api/v1/repositories/repo/query 
Request DataQueryJobInput 
Response DataQueryResponse 
Authentication Requiredyes 
Path ArgumentsDescriptionData typeRequired?
repo Name of repository to be searched stringrequired
Return Codes 
200 Request complete  
400 Request is malformed and either missing critical fields or the JSON is badly structured  
500 Request failed  

When using the endpoint, you must have a suitable access token for the data, either a repository token or a personal token, that has read access for the corresponding repository. See Tokens in LogScale.

The JSON request body supports the following attributes:

Table: QueryInput JSON Object Fields

FieldTypeRequired?DefaultDescription
allowEventSkippingboolean false If set to true, events in the result skipped will be skipped if not retrieved.
arguments   Dictionary of arguments specified in queries with ?param or ?{param=defaultValue} syntax. Provided arguments must be a simple dictionary of string values. If an argument is given explicitly as in ?query(param=value) then that value overrides values provided here.
endrelative-time   The end date and time. This parameter tells LogScale not to return results from after this date and time. See Search API Time Specification,
ingestEndrelative-time   Specifies the end time based on when the data was ingested.
ingestStartrelative-time   Specifies the start time based on when the data was ingested.
isLiveboolean false Sets whether this query is live. Defaults to false. Live queries are continuously updated.
languageVersionstring   The version of the query language to use
queryStringstringYes  The actual query. See Query Language Syntax for details.
timeZoneOffsetMinutesinteger   Set the time zone offset used for bucket() and timeChart() time slices, which is significant if the corresponding span is multiples of days. Defaults to 0 (UTC); positive numbers are to the east of UTC, so for UTC+01:00 timezone the value 60 should be passed.

For example, to execute a basic query from the command line:

Raw
json
{
   "queryString" : "css|head(5)"
}
Mac OS or Linux (curl)
shell
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{
   "queryString" : "css|head(5)"
}

EOF
Mac OS or Linux (curl) One-line
shell
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{
   \"queryString\" : \"css|head(5)\"
}

EOF
Windows Cmd and curl
shell
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{ ^
   \"queryString\" : \"css|head(5)\" ^
} ^
 '
Windows Powershell and curl
powershell
curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{
   \"queryString\" : \"css|head(5)\"
}
'
    "https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query"
Perl
perl
#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $INGEST_TOKEN = "TOKEN";

my $uri = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query';

my $json = '{
   \"queryString\" : \"css|head(5)\"
}
';
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";
Python
python
#! /usr/local/bin/python3

import requests

url = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query'
mydata = r'''{
   "queryString" : "css|head(5)"
}
'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)
Node.js
javascript
const https = require('https');

const data = JSON.stringify(
    {
   \"queryString\" : \"css|head(5)\"
}

);


const options = {
  hostname: 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();
accesslog
127.0.0.1 - - [10/Mar/2023:09:43:45 +0000] "GET /css-images/cpu.svg HTTP/1.1" 200 667
192.168.1.18 - - [09/Mar/2023:17:06:04 +0000] "GET /css-images/database.svg HTTP/1.1" 200 372
127.0.0.1 - - [10/Mar/2023:09:43:45 +0000] "GET /css-images/trello.svg HTTP/1.1" 200 373
127.0.0.1 - - [10/Mar/2023:09:43:45 +0000] "GET /css-images/box.svg HTTP/1.1" 200 462

The results are sent back by default as raw text, i.e. not embedded in a JSON or other structure.

The connection will be closed once the results have been returned, and the returned data will match the supplied query at the time of execution.

Triggering Direct Download of the Results

If you use this API from a browser application, you may want to trigger direct download. You can achieve this by adding the HTTP header X-Desired-Filename to the request. That will result in the response having the header Content-Disposition with the value attachment; filename=\"DESIRED_FILE_NAME\".