Simple Search Request
Important
Running Query Jobs is the recommended method for running queries. The simple search request is can be useful for short, tightly bounded queries where the timepan and returned dataset is small. For longer runnning queries, especially when accessing data that may be stored onbucket storage or requires complex aggregate calculations, query jobs is the better approach.
To start a query, POST
the query:
Description | Submit a search query | ||
Method | POST /api/v1/repositories/ | ||
Request Data | QueryJobInput | ||
Response Data | QueryResponse | ||
Authentication Required | yes | ||
Path Arguments | Description | Data type | Required? |
repo | Name of repository to be searched | string | required |
Return Codes | |||
200 | Request complete | ||
400 | Request is malformed and either missing critical fields or the JSON is badly structured | ||
500 | Request failed |
When using the endpoint, you must have a suitable access token for the data, either a repository token or a personal token, that has read access for the corresponding repository. See Tokens in LogScale.
The JSON request body supports the following attributes:
Table: QueryInput JSON Object Fields
Field | Type | Required? | Default | Description |
---|---|---|---|---|
allowEventSkipping | boolean | false | If set to true, events in the result skipped will be skipped if not retrieved. | |
arguments |
| Dictionary of arguments specified in queries with ?param or ?{param=defaultValue} syntax. Provided arguments must be a simple dictionary of string values. If an argument is given explicitly as in ?query(param=value) then that value overrides values provided here. | ||
end | relative-time | The end date and time. This parameter tells LogScale not to return results from after this date and time. See Search API Time Specification, | ||
ingestEnd | relative-time | Specifies the end time based on when the data was ingested. | ||
ingestStart | relative-time | Specifies the start time based on when the data was ingested. | ||
isLive | boolean | false | Sets whether this query is live. Defaults to false. Live queries are continuously updated. | |
languageVersion | string | The version of the query language to use | ||
queryString | string | Yes | The actual query. See Query Language Syntax for details. | |
timeZoneOffsetMinutes | integer |
Set the time zone offset used for bucket()
and timeChart() time slices, which is
significant if the corresponding
span is multiples of days.
Defaults to 0 (UTC);
positive numbers are to the east of UTC, so for
UTC+01:00 timezone the value
60 should be passed.
|
For example, to execute a basic query from the command line:
{
"queryString" : "css|head(5)"
}
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d @- << EOF
{
"queryString" : "css|head(5)"
}
EOF
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d @- << EOF
{
\"queryString\" : \"css|head(5)\"
}
EOF
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query ^
-H "Authorization: Bearer $TOKEN" ^
-H "Content-Type: application/json" ^
-d @'{ ^
\"queryString\" : \"css|head(5)\" ^
} ^
'
curl.exe -X POST
-H "Authorization: Bearer $TOKEN"
-H "Content-Type: application/json"
-d '{
\"queryString\" : \"css|head(5)\"
}
'
"https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query"
#!/usr/bin/perl
use HTTP::Request;
use LWP;
my $INGEST_TOKEN = "TOKEN";
my $uri = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query';
my $json = '{
\"queryString\" : \"css|head(5)\"
}
';
my $req = HTTP::Request->new("POST", $uri );
$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");
$req->content( $json );
my $lwp = LWP::UserAgent->new;
my $result = $lwp->request( $req );
print $result->{"_content"},"\n";
#! /usr/local/bin/python3
import requests
url = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query'
mydata = r'''{
"queryString" : "css|head(5)"
}
'''
resp = requests.post(url,
data = mydata,
headers = {
"Authorization" : "Bearer $TOKEN",
"Content-Type" : "application/json"
}
)
print(resp.text)
const https = require('https');
const data = JSON.stringify(
{
\"queryString\" : \"css|head(5)\"
}
);
const options = {
hostname: 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query',
path: '/graphql',
port: 443,
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Content-Length': data.length,
Authorization: 'BEARER ' + process.env.TOKEN,
'User-Agent': 'Node',
},
};
const req = https.request(options, (res) => {
let data = '';
console.log(`statusCode: ${res.statusCode}`);
res.on('data', (d) => {
data += d;
});
res.on('end', () => {
console.log(JSON.parse(data).data);
});
});
req.on('error', (error) => {
console.error(error);
});
req.write(data);
req.end();
127.0.0.1 - - [10/Mar/2023:09:43:45 +0000] "GET /css-images/cpu.svg HTTP/1.1" 200 667
192.168.1.18 - - [09/Mar/2023:17:06:04 +0000] "GET /css-images/database.svg HTTP/1.1" 200 372
127.0.0.1 - - [10/Mar/2023:09:43:45 +0000] "GET /css-images/trello.svg HTTP/1.1" 200 373
127.0.0.1 - - [10/Mar/2023:09:43:45 +0000] "GET /css-images/box.svg HTTP/1.1" 200 462
The results are sent back by default as raw text, i.e. not embedded in a JSON or other structure.
The connection will be closed once the results have been returned, and the returned data will match the supplied query at the time of execution.
Triggering Direct Download of the Results
If you use this API from a browser application, you may want to trigger
direct download. You can achieve this by adding the HTTP header
X-Desired-Filename
to the request. That will result in the response having the header
Content-Disposition
with the value attachment;
filename=\"DESIRED_FILE_NAME\"
.