Simple Search Request
Important
Running Query Jobs is the recommended method for running queries. The simple search request is can be useful for short, tightly bound queries where the timespan and returned dataset is small. For longer running queries, especially when accessing data that may be stored in bucket storage or requires complex aggregate calculations, query jobs is the better approach.
To start a query, POST
the query:
Description | Submit a search query | ||
Method | POST /api/v1/repositories/ | ||
Request Data | QueryJobInput | ||
Response Data | QueryResponse | ||
Authentication Required | yes | ||
Path Arguments | Description | Data type | Required? |
repo | Name of repository to be searched | string | required |
Return Codes | |||
200 | Request complete | ||
400 | Request is malformed and either missing critical fields or the JSON is badly structured | ||
500 | Request failed |
When using the endpoint, you must have a suitable access token for the data, either a repository token or a personal token, that has read access for the corresponding repository. See Tokens in LogScale.
The JSON request body supports the following attributes:
Table: QueryInput JSON Object Fields
Field | Type | Required? | Default | Description |
---|---|---|---|---|
allowEventSkipping | boolean | false |
If set to true ,
allowEventSkipping enables some
LogScale functions, such as head()
and tail() , to stop processing all data in
the selected timeframe and exit the query early, if more data
would no longer change the result of the query. The recommended
setting for the value is true , as this can
improve performance of the query in some cases. However, please
note that some metadata may no longer have the same semantics as
before - for example, events visited will no longer represent
all matching events, but instead just the events visited for the
query to finish.
| |
arguments |
| Dictionary of arguments specified in queries with ?param or ?{param=defaultValue} syntax. Provided arguments must be a simple dictionary of string values. If an argument is given explicitly as in ?query(param=value) then that value overrides values provided here. | ||
end | relative-time | The end date and time. This parameter tells LogScale not to return results from after this date and time. See Search API Time Specification, | ||
ingestEnd | relative-time | Specifies the end time based on when the data was ingested. | ||
ingestStart | relative-time | Specifies the start time based on when the data was ingested. | ||
isLive | boolean | false | Sets whether this query is live. Defaults to false. Live queries are continuously updated. | |
languageVersion | string | The version of the query language to use | ||
queryString | string | Yes |
The actual query. See Query Language Syntax for details. Note
that defineTable() is not supported here.
Instead /queryjobs is
the recommended endpoint for queries containing
defineTable() .
| |
timeZoneOffsetMinutes | integer |
Set the time zone offset used for bucket()
and timeChart() time slices, which is
significant if the corresponding
span is multiples of days.
Defaults to 0 (UTC);
positive numbers are to the east of UTC, so for
UTC+01:00 timezone the value
60 should be passed.
|
For example, to execute a basic query from the command line:
{
"queryString" : "css|head(5)"
}
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d @- << EOF
{
"queryString" : "css|head(5)"
}
EOF
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d @- << EOF
{
\"queryString\" : \"css|head(5)\"
}
EOF
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query ^
-H "Authorization: Bearer $TOKEN" ^
-H "Content-Type: application/json" ^
-d @'{ ^
\"queryString\" : \"css|head(5)\" ^
} ^
'
curl.exe -X POST
-H "Authorization: Bearer $TOKEN"
-H "Content-Type: application/json"
-d '{
\"queryString\" : \"css|head(5)\"
}
'
"https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query"
#!/usr/bin/perl
use HTTP::Request;
use LWP;
my $INGEST_TOKEN = "TOKEN";
my $uri = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query';
my $json = '{
\"queryString\" : \"css|head(5)\"
}
';
my $req = HTTP::Request->new("POST", $uri );
$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");
$req->content( $json );
my $lwp = LWP::UserAgent->new;
my $result = $lwp->request( $req );
print $result->{"_content"},"\n";
#! /usr/local/bin/python3
import requests
url = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query'
mydata = r'''{
"queryString" : "css|head(5)"
}
'''
resp = requests.post(url,
data = mydata,
headers = {
"Authorization" : "Bearer $TOKEN",
"Content-Type" : "application/json"
}
)
print(resp.text)
const https = require('https');
const data = JSON.stringify(
{
\"queryString\" : \"css|head(5)\"
}
);
const options = {
hostname: 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query',
path: '/graphql',
port: 443,
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Content-Length': data.length,
Authorization: 'BEARER ' + process.env.TOKEN,
'User-Agent': 'Node',
},
};
const req = https.request(options, (res) => {
let data = '';
console.log(`statusCode: ${res.statusCode}`);
res.on('data', (d) => {
data += d;
});
res.on('end', () => {
console.log(JSON.parse(data).data);
});
});
req.on('error', (error) => {
console.error(error);
});
req.write(data);
req.end();
127.0.0.1 - - [10/Mar/2023:09:43:45 +0000] "GET /css-images/cpu.svg HTTP/1.1" 200 667
192.168.1.18 - - [09/Mar/2023:17:06:04 +0000] "GET /css-images/database.svg HTTP/1.1" 200 372
127.0.0.1 - - [10/Mar/2023:09:43:45 +0000] "GET /css-images/trello.svg HTTP/1.1" 200 373
127.0.0.1 - - [10/Mar/2023:09:43:45 +0000] "GET /css-images/box.svg HTTP/1.1" 200 462
The results are sent back by default as raw text, i.e. not embedded in a JSON or other structure.
The connection will be closed once the results have been returned, and the returned data will match the supplied query at the time of execution.
Triggering Direct Download of the Results
If you use this API from a browser application, you may want to trigger
direct download. You can achieve this by adding the HTTP header
X-Desired-Filename
to the request. That will result in the response having the header
Content-Disposition
with the value attachment;
filename=\"DESIRED_FILE_NAME\"
.