Search Response Format

Falcon LogScale returns data in different formats depending on the media type you set in the ACCEPT header of the HTTP request.

Data can be returned in the following formats:

Media Type Description
text/plain (default) Returns events delimited by newlines. If the event has a rawstring field, then LogScale prints it as the event. If it does not, then LogScale prints all fields on the event in the format a->hello, b->world. Note that the event can contain newlines. Nothing is escaped.
application/json Returns events in a standard JSON array. All field values in each event are returned as JSON strings, except for @timestamp. The @timestamp field is returned a long integer, representing time as Unix time in milliseconds (UTC/Zulu time). Newlines inside the JSON data are escaped as \n.
application/x-ndjson Returns events as Newline Delimited JSON (NDJSON). This format supports streaming JSON data. Data is returned with one event per line. Newlines inside the JSON data are escaped as \n.

The following sections provide examples of the same result set in each format.

Plain Format Results

The plain text format by default returns the @rawstring of the data.

accesslog
127.0.0.1 - - [07/Mar/2023:15:09:42 +0000] "GET /falcon-logscale/css-images/176f8f5bd5f02b3abfcf894955d7e919.woff2 HTTP/1.1" 200 15736 "http://localhost:81/falcon-logscale/theme.css" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36"
127.0.0.1 - - [07/Mar/2023:15:09:43 +0000] "GET /falcon-logscale/css-images/alert-octagon.svg HTTP/1.1" 200 416 "http://localhost:81/falcon-logscale/theme.css" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36"
127.0.0.1 - - [09/Mar/2023:14:16:56 +0000] "GET /theme-home.css HTTP/1.1" 200 70699 "http://localhost:81/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
127.0.0.1 - - [09/Mar/2023:14:16:59 +0000] "GET /css-images/help-circle-white.svg HTTP/1.1" 200 358 "http://localhost:81/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
127.0.0.1 - - [09/Mar/2023:14:16:59 +0000] "GET /css-images/logo-white.svg HTTP/1.1" 200 2275 "http://localhost:81/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"

JSON Format Results

In the JSON format, the parsed fields are returned in full as a JSON array, with a JSON object for each matching row or event in the result set.

The example below has been formatted for clarity.

json
[
   {
      "#humioBackfill" : "0",
      "#repo" : "weblog",
      "#type" : "kv",
      "@host" : "ML-C02FL14GMD6V",
      "@id" : "XPcjXSqXywOthZV25sOB1hqZ_0_1_1678201782",
      "@ingesttimestamp" : "1691483483696",
      "@rawstring" : "127.0.0.1 - - [07/Mar/2023:15:09:42 +0000] \"GET /falcon-logscale/css-images/176f8f5bd5f02b3abfcf894955d7e919.woff2 HTTP/1.1\" 200 15736 \"http://localhost:81/falcon-logscale/theme.css\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36\"",
      "@source" : "/var/log/apache2/access_log",
      "@timestamp" : 1678201782000,
      "@timestamp.nanos" : "0",
      "@timezone" : "Z"
   },
   {
      "#humioBackfill" : "0",
      "#repo" : "weblog",
      "#type" : "kv",
      "@host" : "ML-C02FL14GMD6V",
      "@id" : "XPcjXSqXywOthZV25sOB1hqZ_0_3_1678201783",
      "@ingesttimestamp" : "1691483483696",
      "@rawstring" : "127.0.0.1 - - [07/Mar/2023:15:09:43 +0000] \"GET /falcon-logscale/css-images/alert-octagon.svg HTTP/1.1\" 200 416 \"http://localhost:81/falcon-logscale/theme.css\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36\"",
      "@source" : "/var/log/apache2/access_log",
      "@timestamp" : 1678201783000,
      "@timestamp.nanos" : "0",
      "@timezone" : "Z"
   },
   {
      "#humioBackfill" : "0",
      "#repo" : "weblog",
      "#type" : "kv",
      "@host" : "ML-C02FL14GMD6V",
      "@id" : "XPcjXSqXywOthZV25sOB1hqZ_0_15_1678371416",
      "@ingesttimestamp" : "1691483483696",
      "@rawstring" : "127.0.0.1 - - [09/Mar/2023:14:16:56 +0000] \"GET /theme-home.css HTTP/1.1\" 200 70699 \"http://localhost:81/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36\"",
      "@source" : "/var/log/apache2/access_log",
      "@timestamp" : 1678371416000,
      "@timestamp.nanos" : "0",
      "@timezone" : "Z"
   },
   {
      "#humioBackfill" : "0",
      "#repo" : "weblog",
      "#type" : "kv",
      "@host" : "ML-C02FL14GMD6V",
      "@id" : "XPcjXSqXywOthZV25sOB1hqZ_0_22_1678371419",
      "@ingesttimestamp" : "1691483483696",
      "@rawstring" : "127.0.0.1 - - [09/Mar/2023:14:16:59 +0000] \"GET /css-images/help-circle-white.svg HTTP/1.1\" 200 358 \"http://localhost:81/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36\"",
      "@source" : "/var/log/apache2/access_log",
      "@timestamp" : 1678371419000,
      "@timestamp.nanos" : "0",
      "@timezone" : "Z"
   },
   {
      "#humioBackfill" : "0",
      "#repo" : "weblog",
      "#type" : "kv",
      "@host" : "ML-C02FL14GMD6V",
      "@id" : "XPcjXSqXywOthZV25sOB1hqZ_0_23_1678371419",
      "@ingesttimestamp" : "1691483483696",
      "@rawstring" : "127.0.0.1 - - [09/Mar/2023:14:16:59 +0000] \"GET /css-images/logo-white.svg HTTP/1.1\" 200 2275 \"http://localhost:81/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36\"",
      "@source" : "/var/log/apache2/access_log",
      "@timestamp" : 1678371419000,
      "@timestamp.nanos" : "0",
      "@timezone" : "Z"
   }
]

NDJSON Format Results

The NDJSON format returnes the full parsed event data for each event, but each event is contained within a single line of JSON. This allows for new events to be returned during a live search as a single, parseable, line.

The raw output is shown below:

json
{"#type":"kv","#repo":"weblog","#humioBackfill":"0","@source":"/var/log/apache2/access_log","@timestamp.nanos":"0","@rawstring":"127.0.0.1 - - [07/Mar/2023:15:09:42 +0000] \"GET /falcon-logscale/css-images/176f8f5bd5f02b3abfcf894955d7e919.woff2 HTTP/1.1\" 200 15736 \"http://localhost:81/falcon-logscale/theme.css\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36\"","@id":"XPcjXSqXywOthZV25sOB1hqZ_0_1_1678201782","@timestamp":1678201782000,"@ingesttimestamp":"1691483483696","@host":"ML-C02FL14GMD6V","@timezone":"Z"}
{"#type":"kv","#repo":"weblog","#humioBackfill":"0","@source":"/var/log/apache2/access_log","@timestamp.nanos":"0","@rawstring":"127.0.0.1 - - [07/Mar/2023:15:09:43 +0000] \"GET /falcon-logscale/css-images/alert-octagon.svg HTTP/1.1\" 200 416 \"http://localhost:81/falcon-logscale/theme.css\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36\"","@id":"XPcjXSqXywOthZV25sOB1hqZ_0_3_1678201783","@timestamp":1678201783000,"@ingesttimestamp":"1691483483696","@host":"ML-C02FL14GMD6V","@timezone":"Z"}
{"#type":"kv","#repo":"weblog","#humioBackfill":"0","@source":"/var/log/apache2/access_log","@timestamp.nanos":"0","@rawstring":"127.0.0.1 - - [09/Mar/2023:14:16:56 +0000] \"GET /theme-home.css HTTP/1.1\" 200 70699 \"http://localhost:81/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36\"","@id":"XPcjXSqXywOthZV25sOB1hqZ_0_15_1678371416","@timestamp":1678371416000,"@ingesttimestamp":"1691483483696","@host":"ML-C02FL14GMD6V","@timezone":"Z"}
{"#type":"kv","#repo":"weblog","#humioBackfill":"0","@source":"/var/log/apache2/access_log","@timestamp.nanos":"0","@rawstring":"127.0.0.1 - - [09/Mar/2023:14:16:59 +0000] \"GET /css-images/help-circle-white.svg HTTP/1.1\" 200 358 \"http://localhost:81/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36\"","@id":"XPcjXSqXywOthZV25sOB1hqZ_0_22_1678371419","@timestamp":1678371419000,"@ingesttimestamp":"1691483483696","@host":"ML-C02FL14GMD6V","@timezone":"Z"}
{"#type":"kv","#repo":"weblog","#humioBackfill":"0","@source":"/var/log/apache2/access_log","@timestamp.nanos":"0","@rawstring":"127.0.0.1 - - [09/Mar/2023:14:16:59 +0000] \"GET /css-images/logo-white.svg HTTP/1.1\" 200 2275 \"http://localhost:81/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36\"","@id":"XPcjXSqXywOthZV25sOB1hqZ_0_23_1678371419","@timestamp":1678371419000,"@ingesttimestamp":"1691483483696","@host":"ML-C02FL14GMD6V","@timezone":"Z"}

A single NDJSON line is just JSON, which formatted looks like this:

json
{
   "#humioBackfill" : "0",
   "#repo" : "weblog",
   "#type" : "kv",
   "@host" : "ML-C02FL14GMD6V",
   "@id" : "XPcjXSqXywOthZV25sOB1hqZ_0_1_1678201782",
   "@ingesttimestamp" : "1691483483696",
   "@rawstring" : "127.0.0.1 - - [07/Mar/2023:15:09:42 +0000] \"GET /falcon-logscale/css-images/176f8f5bd5f02b3abfcf894955d7e919.woff2 HTTP/1.1\" 200 15736 \"http://localhost:81/falcon-logscale/theme.css\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36\"",
   "@source" : "/var/log/apache2/access_log",
   "@timestamp" : 1678201782000,
   "@timestamp.nanos" : "0",
   "@timezone" : "Z"
}