Pagination of Results

Search results can be obtained 'around' a specific event ID from a result set using the around parameter. This is a sub-structure to the main QueryInput JSON structure when making a request.

Table:

FieldTypeRequired?DefaultDescription
eventIdstringYes  The ID of the event to use as the reference point
numberOfEventsAfterintegerYes  Number of events to show after the eventId
numberOfEventsBeforeintegerYes  Number of events to show before the eventId
timestampintegerYes  The timestamp to use as the reference for pagination.

Querying using this method is a two-stage process; first find a reference ID of the query around which you want to view matching events, then search again specifying the number of events before and after that reference event.

For example:

Raw
json
{
   "start" : "1year",
   "queryString" : "css"
}
Mac OS or Linux (curl)
shell
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/queryjobs \
    -H "Accept: application/x-ndjson" \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "{
   \"start\" : \"1year\",
   \"queryString\" : \"css\"
}
"
}
EOF
Mac OS or Linux (curl) One-line
shell
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/queryjobs \
    -H "Accept: application/x-ndjson" \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json"
Windows Cmd and curl
cmd
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/queryjobs ^
    -H "Accept: application/x-ndjson" ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "{ ^
   \"queryString\" : \"css\", ^
   \"start\" : \"1year\" ^
} ^
" ^
} '
Windows Powershell and curl
powershell
curl.exe -X POST 
    -H "Accept: application/x-ndjson"
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "{
   \"start\" : \"1year\",
   \"queryString\" : \"css\"
}
"
}'
"https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/queryjobs"
Perl
perl
#!/usr/bin/perl

use HTTP::Request;
use LWP;
my $TOKEN = "TOKEN";
my $uri = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/queryjobs';
my $json = '{"query" : "{
   \"queryString\" : \"css\",
   \"start\" : \"1year\"
}
"
}';
my $req = HTTP::Request->new("POST", $uri );
$req->header("Accept" => "application/x-ndjson");
$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");
$req->content( $json );
my $lwp = LWP::UserAgent->new;
my $result = $lwp->request( $req );
print $result->{"_content"},"\n";
Python
python
#! /usr/local/bin/python3

import requests

url = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/queryjobs'
mydata = r'''{"query" : "{
   \"queryString\" : \"css\",
   \"start\" : \"1year\"
}
"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Accept" : "application/x-ndjson",
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)
Node.js
javascript
const https = require('https');

const data = JSON.stringify(
    {"query" : "{
   \"queryString\" : \"css\",
   \"start\" : \"1year\"
}
"
}
);


const options = {
  hostname: 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/queryjobs',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

The query will return matching results with each event containing a unique ID:

@timestamp#humioBackfill#repo#type@host@id@ingesttimestamp@source@timestamp.nanos@timezone
2023-03-07T15:09:420weblogkvML-C02FL14GMD6VXPcjXSqXywOthZV25sOB1hqZ_0_1_16782017822023-08-08T08:31:23/var/log/apache2/access_log0Z
2023-03-07T15:09:430weblogkvML-C02FL14GMD6VXPcjXSqXywOthZV25sOB1hqZ_0_3_16782017832023-08-08T08:31:23/var/log/apache2/access_log0Z
2023-03-09T14:16:560weblogkvML-C02FL14GMD6VXPcjXSqXywOthZV25sOB1hqZ_0_15_16783714162023-08-08T08:31:23/var/log/apache2/access_log0Z
2023-03-09T14:16:590weblogkvML-C02FL14GMD6VXPcjXSqXywOthZV25sOB1hqZ_0_22_16783714192023-08-08T08:31:23/var/log/apache2/access_log0Z
2023-03-09T14:16:590weblogkvML-C02FL14GMD6VXPcjXSqXywOthZV25sOB1hqZ_0_23_16783714192023-08-08T08:31:23/var/log/apache2/access_log0Z

Then, identify the ID (in the @id field of the response) of the original event to use as the original query, and the timespan that must be provided along with the around object that defines the scope, in this case 100 events before and after the reference event.

Raw
json
{
   "around" : {
      "numberOfEventsAfter" : 100,
      "numberOfEventsBefore" : 100,
      "timestamp" : 1678371419000,
      "eventId" : "XPcjXSqXywOthZV25sOB1hqZ_0_23_1678371419"
   },
   "queryString" : "css",
   "start" : "1year"
}
Mac OS or Linux (curl)
shell
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/queryjobs \
    -H "Accept: application/x-ndjson" \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "{
   \"around\" : {
      \"numberOfEventsAfter\" : 100,
      \"numberOfEventsBefore\" : 100,
      \"timestamp\" : 1678371419000,
      \"eventId\" : \"XPcjXSqXywOthZV25sOB1hqZ_0_23_1678371419\"
   },
   \"queryString\" : \"css\",
   \"start\" : \"1year\"
}
"
}
EOF
Mac OS or Linux (curl) One-line
shell
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/queryjobs \
    -H "Accept: application/x-ndjson" \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json"
Windows Cmd and curl
cmd
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/queryjobs ^
    -H "Accept: application/x-ndjson" ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "{ ^
   \"start\" : \"1year\", ^
   \"queryString\" : \"css\", ^
   \"around\" : { ^
      \"numberOfEventsAfter\" : 100, ^
      \"timestamp\" : 1678371419000, ^
      \"numberOfEventsBefore\" : 100, ^
      \"eventId\" : \"XPcjXSqXywOthZV25sOB1hqZ_0_23_1678371419\" ^
   } ^
} ^
" ^
} '
Windows Powershell and curl
powershell
curl.exe -X POST 
    -H "Accept: application/x-ndjson"
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "{
   \"start\" : \"1year\",
   \"queryString\" : \"css\",
   \"around\" : {
      \"eventId\" : \"XPcjXSqXywOthZV25sOB1hqZ_0_23_1678371419\",
      \"numberOfEventsAfter\" : 100,
      \"timestamp\" : 1678371419000,
      \"numberOfEventsBefore\" : 100
   }
}
"
}'
"https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/queryjobs"
Perl
perl
#!/usr/bin/perl

use HTTP::Request;
use LWP;
my $TOKEN = "TOKEN";
my $uri = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/queryjobs';
my $json = '{"query" : "{
   \"start\" : \"1year\",
   \"queryString\" : \"css\",
   \"around\" : {
      \"eventId\" : \"XPcjXSqXywOthZV25sOB1hqZ_0_23_1678371419\",
      \"numberOfEventsBefore\" : 100,
      \"timestamp\" : 1678371419000,
      \"numberOfEventsAfter\" : 100
   }
}
"
}';
my $req = HTTP::Request->new("POST", $uri );
$req->header("Accept" => "application/x-ndjson");
$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");
$req->content( $json );
my $lwp = LWP::UserAgent->new;
my $result = $lwp->request( $req );
print $result->{"_content"},"\n";
Python
python
#! /usr/local/bin/python3

import requests

url = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/queryjobs'
mydata = r'''{"query" : "{
   \"queryString\" : \"css\",
   \"start\" : \"1year\",
   \"around\" : {
      \"eventId\" : \"XPcjXSqXywOthZV25sOB1hqZ_0_23_1678371419\",
      \"numberOfEventsAfter\" : 100,
      \"timestamp\" : 1678371419000,
      \"numberOfEventsBefore\" : 100
   }
}
"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Accept" : "application/x-ndjson",
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)
Node.js
javascript
const https = require('https');

const data = JSON.stringify(
    {"query" : "{
   \"start\" : \"1year\",
   \"queryString\" : \"css\",
   \"around\" : {
      \"numberOfEventsBefore\" : 100,
      \"timestamp\" : 1678371419000,
      \"numberOfEventsAfter\" : 100,
      \"eventId\" : \"XPcjXSqXywOthZV25sOB1hqZ_0_23_1678371419\"
   }
}
"
}
);


const options = {
  hostname: 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/queryjobs',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

This will return the events around the reference event:

@timestamp#repo#type@error@error_msg@error_msg[0]@error_msg[1]@host@id@ingesttimestamp@source@sourcetype
2024-01-11T11:54:21weblogcustomjsontrueCould not parse json for field=@rawstring msg=Could not handle input. reason=Could not parse JSON | No timestamp found in field "@rawstring".Could not parse json for field=@rawstring msg=Could not handle input. reason=Could not parse JSONNo timestamp found in field "@rawstring". Ea5aqq0vOp3l2NPzpqCWfQSK_0_0_17049740612024-01-11T11:54:21 apache/http-server:apache_access
2023-10-19T09:51:33weblogaccesslogtrueThe event was filtered out by the parser. The original input is available in the `@rawstring` field of this event.The event was filtered out by the parser. The original input is available in the `@rawstring` field of this event. ML-C02FL14GMD6V0kY6kpTPP9kbGiYSUWP5mMhg_0_22_16977090932023-10-19T09:51:33/var/log/apache2/public-access_log 
2023-03-07T15:09:43weblogkv    ML-C02FL14GMD6VXPcjXSqXywOthZV25sOB1hqZ_0_3_16782017832023-08-08T08:31:23/var/log/apache2/access_log 
2023-03-07T15:09:42weblogkv    ML-C02FL14GMD6VXPcjXSqXywOthZV25sOB1hqZ_0_1_16782017822023-08-08T08:31:23/var/log/apache2/access_log 

The around query functionality is also used via the UI (see Searching Data).