Live Search Request

A live search request is similar to the simple search request. The difference is that a live search request does not complete. Instead, the search returns all the matching records to the client, and then keeps the HTTP request open. As new data is ingested into the repository, matching results are immediately sent to the client.

Important

Live searches can be terminated at any time, and do not work with aggregate functions and operators. For more information on the operation of Live Queries, see Live Search Operation. This may mean that a live query fails, or 'times out' during execution and results may fail to be returned without a clear indication of the reason. Using the Query Job API may lead to a more reliable and reproducible result set. For more information, see Running Query Jobs.

To execute a live search request, add the isLive parameter to the request object with the value true. For example:

Show:

json

{
   "isLive" : true,
   "queryString" : "css"
}

shell

curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{
   "isLive" : true,
   "queryString" : "css"
}

EOF

shell

curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{
   \"queryString\" : \"css\",
   \"isLive\" : true
}

EOF

shell

curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{ ^
   \"queryString\" : \"css\", ^
   \"isLive\" : true ^
} ^
 '

powershell

curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{
   \"isLive\" : true,
   \"queryString\" : \"css\"
}
'
    "https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query"

perl

#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $INGEST_TOKEN = "TOKEN";

my $uri = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query';

my $json = '{
   \"queryString\" : \"css\",
   \"isLive\" : true
}
';
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";

python

#! /usr/local/bin/python3

import requests

url = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query'
mydata = r'''{
   "isLive" : true,
   "queryString" : "css"
}
'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)

javascript

const https = require('https');

const data = JSON.stringify(
    {
   \"queryString\" : \"css\",
   \"isLive\" : true
}

);


const options = {
  hostname: 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

The results match the filter will be returned instantly, but the HTTP connection will not be closed. Any additional results will be returned as they are ingested:

accesslog

192.168.1.18 - - [09/Mar/2023:17:06:04 +0000] "GET /css-images/book-open.svg HTTP/1.1" 200 339
192.168.1.18 - - [09/Mar/2023:17:06:04 +0000] "GET /css-images/logo-white.svg HTTP/1.1" 200 2275
192.168.1.18 - - [09/Mar/2023:17:06:04 +0000] "GET /css-images/slack.svg HTTP/1.1" 200 999
127.0.0.1 - - [10/Mar/2023:09:43:42 +0000] "GET /theme-home.css HTTP/1.1" 200 70699
...
192.168.1.18 - - [11/Mar/2023:17:06:04 +0000] "GET /css-images/slack.svg HTTP/1.1" 200 999

APIs

API Authentication

Cluster Management API

Health Check API

Ingest API

Lookup API

Redact Events API

Search API

Packages API

Software Libraries

Live Search Request

Important

Enter search term