Running Query Jobs

The Query Jobs endpoint lets you run a query and access the results of the query later, rather than getting an instant or streamed response.

To execute a query using the Query Jobs API is a two-step process:

Create a Query Job.
The query job defines the query text and time specification and returns a unique Job ID.
To create a query job, see Creating a Query Job.
Poll the Query Job to access the results
Each time the results of the query need to be generated, send a request using the returned Query Job ID. The query will be executed, with the results matching the query and time specification at the time the query job was polled.
To obtain the results, run a poll on the query Job using the returned ID. See Polling a Query Job.

The query job remains in operation providing it is polled every 30 seconds. If a standard query job is not polled during this time, the query stops and deletes itself. Live queries remain for an hour before being deleted.

To delete the query job, see Deleting a Query Job.

Important

The Query Jobs endpoint supports the standard LogScale UI and operates using similar principles. For example, by default, a query job returns only the first 200 match events or queries including aggregate content up to 1500 rows. To extend the number of events returned, see Returned Event Count.

APIs

API Authentication

Cluster Management API

Health Check API

Ingest API

Lookup API

Redact Events API

Search API

Software Libraries

Running Query Jobs

Important

Enter search term