Live Search Request
A live search request is similar to the simplie search request. The difference is that a live search request does not complete. Instead, the search returns all the matching records to the client, and then keeps the HTTP request open. As new data is ingested into the repository, matching results are immediately sent to the client.
Important
Live searches can be terminated at any time, and do not work with aggregate functions and operators. For more information on the operation of Live Queries, see Live Search Operation. This may mean that a live query fails, or 'times out' during execution and results may fail to be returned without a clear indication of the reason. Using the Query Job API may lead to a more reliable and reproducible result set. For more information, see Running Query Jobs.
To execute a live search request, add the
isLive
parameter to the request object with the value
true
. For example:
{
"queryString" : "css",
"isLive" : true
}
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d @- << EOF
{
"queryString" : "css",
"isLive" : true
}
EOF
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d @- << EOF
{
\"isLive\" : true,
\"queryString\" : \"css\"
}
EOF
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query ^
-H "Authorization: Bearer $TOKEN" ^
-H "Content-Type: application/json" ^
-d @'{ ^
\"isLive\" : true, ^
\"queryString\" : \"css\" ^
} ^
'
curl.exe -X POST
-H "Authorization: Bearer $TOKEN"
-H "Content-Type: application/json"
-d '{
\"queryString\" : \"css\",
\"isLive\" : true
}
'
"https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query"
#!/usr/bin/perl
use HTTP::Request;
use LWP;
my $INGEST_TOKEN = "TOKEN";
my $uri = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query';
my $json = '{
\"queryString\" : \"css\",
\"isLive\" : true
}
';
my $req = HTTP::Request->new("POST", $uri );
$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");
$req->content( $json );
my $lwp = LWP::UserAgent->new;
my $result = $lwp->request( $req );
print $result->{"_content"},"\n";
#! /usr/local/bin/python3
import requests
url = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query'
mydata = r'''{
"isLive" : true,
"queryString" : "css"
}
'''
resp = requests.post(url,
data = mydata,
headers = {
"Authorization" : "Bearer $TOKEN",
"Content-Type" : "application/json"
}
)
print(resp.text)
const https = require('https');
const data = JSON.stringify(
{
\"queryString\" : \"css\",
\"isLive\" : true
}
);
const options = {
hostname: 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query',
path: '/graphql',
port: 443,
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Content-Length': data.length,
Authorization: 'BEARER ' + process.env.TOKEN,
'User-Agent': 'Node',
},
};
const req = https.request(options, (res) => {
let data = '';
console.log(`statusCode: ${res.statusCode}`);
res.on('data', (d) => {
data += d;
});
res.on('end', () => {
console.log(JSON.parse(data).data);
});
});
req.on('error', (error) => {
console.error(error);
});
req.write(data);
req.end();
The results match the filter will be returned instantly, but the HTTP connection will not be closed. Any additional results will be returned as they are ingested:
192.168.1.18 - - [09/Mar/2023:17:06:04 +0000] "GET /css-images/book-open.svg HTTP/1.1" 200 339
192.168.1.18 - - [09/Mar/2023:17:06:04 +0000] "GET /css-images/logo-white.svg HTTP/1.1" 200 2275
192.168.1.18 - - [09/Mar/2023:17:06:04 +0000] "GET /css-images/slack.svg HTTP/1.1" 200 999
127.0.0.1 - - [10/Mar/2023:09:43:42 +0000] "GET /theme-home.css HTTP/1.1" 200 70699
...
192.168.1.18 - - [11/Mar/2023:17:06:04 +0000] "GET /css-images/slack.svg HTTP/1.1" 200 999