Query Jobs

The Query Jobs endpoint lets you run a query and access the results of the query later, rather than getting an instand or streamed response.

To execute a query using the Query Jobs API is a two-step process:

  1. Create a Query Job.

    The query job defines the query text and time specification and returns a unique Job ID.

    To create a query job, see Creating a Query Job.

  2. Poll the Query Job to access the results

    Each time the results of the query need to be generate, send a request using the returned Query Job ID. The query will be executed, with the results matching the query and time specification at the time the query job was polled.

    To obtain the results, run a poll on the query Job using the returned ID. See Polling a Query Job.

The query job remains in operation providing it is polled every 30 seconds. If a standard query job is not polled during this time, the query stops and deletes itself. Live queries temain for an hour before being deleted.

To delete the query job, see Deleting a Query Job.

Important

The Query Jobs endpoint supports the standard LogScale UI and operates using similar principles. For example, by default, a query job returns only the first 200 match events or queries including aggregate content up to 1500 rows. To extend the number of events returned, see Returned Event Count.

Returned Event Count

To return more the default 200 events, the tail() function can be added to the submitted query, just as in a query through the UI. No tail() function is included by defautl to a query.

For example, to execute a query and return 1000 rows each time the job is accessed:

Raw
json
{
   "end" : "now",
   "queryString" : "localhost | tail(1000)",
   "start" : "1h",
   "isLive" : false
}
Mac OS or Linux (curl)
shell
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "{
   \"isLive\" : false,
   \"start\" : \"1h\",
   \"end\" : \"now\",
   \"queryString\" : \"localhost | tail(1000)\"
}
"
}
EOF
Mac OS or Linux (curl) One-line
shell
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json"
Windows Cmd and curl
cmd
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "{ ^
   \"start\" : \"1h\", ^
   \"isLive\" : false, ^
   \"queryString\" : \"localhost | tail(1000)\", ^
   \"end\" : \"now\" ^
} ^
" ^
} '
Windows Powershell and curl
powershell
curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "{
   \"start\" : \"1h\",
   \"isLive\" : false,
   \"queryString\" : \"localhost | tail(1000)\",
   \"end\" : \"now\"
}
"
}'
"https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query"
Perl
perl
#!/usr/bin/perl

use HTTP::Request;
use LWP;
my $TOKEN = "TOKEN";
my $uri = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query';
my $json = '{"query" : "{
   \"end\" : \"now\",
   \"queryString\" : \"localhost | tail(1000)\",
   \"start\" : \"1h\",
   \"isLive\" : false
}
"
}';
my $req = HTTP::Request->new("POST", $uri );
$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");
$req->content( $json );
my $lwp = LWP::UserAgent->new;
my $result = $lwp->request( $req );
print $result->{"_content"},"\n";
Python
python
#! /usr/local/bin/python3

import requests

url = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query'
mydata = r'''{"query" : "{
   \"end\" : \"now\",
   \"queryString\" : \"localhost | tail(1000)\",
   \"start\" : \"1h\",
   \"isLive\" : false
}
"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)
Node.js
javascript
const https = require('https');

const data = JSON.stringify(
    {"query" : "{
   \"end\" : \"now\",
   \"queryString\" : \"localhost | tail(1000)\",
   \"isLive\" : false,
   \"start\" : \"1h\"
}
"
}
);


const options = {
  hostname: 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();