With relative time, you specify the start and end time as a relative
time such as
1minute or
24hours.
Falcon LogScale supports this using relative time modifiers.
LogScale treats the start and end times as relative times if you
specify them as strings.
When providing a timestamp, relative time modifiers are specified
relative to "now".
See the Relative Time Syntax
reference page.
Note
Relative time modifiers are always relative to now.
This method is shown in the following examples:
Search the last 24 hours:
{
"queryString" : "ERROR" ,
"start" : "24hours" ,
"end" : "now"
}
You can also mix relative and absolute time modifiers. For example, to
search from a specified moment in time until two days ago:
{
"queryString" : "loglevel=ERROR" ,
"start" : 1473449370018 ,
"end" : "2days"
}
Advanced time selection is also available using the
Advanced Time Syntax .
Note
Omitted and required arguments: LogScale has defined behavior
when you omit time arguments: if you omit the
endstart24hours. For
*_live queries_* , you
must either set end to now, or omit it. You must
set start
Live Query Streaming All Events
This live query returns an empty search, finding all events in a time
window going 10 seconds back in time.
Notice the ACCEPT
header. This tells the server to stream data as
Newline Delimited
JSON .
Show:
Raw Mac OS or Linux (curl) Mac OS or Linux (curl) One-line Windows Cmd and curl Windows Powershell and curl Perl Python Node.js
Raw {
"queryString" : "" ,
"isLive" : true ,
"start" : "10s"
} Mac OS or Linux (curl) curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query \
-H "Accept: application/x-ndjson" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d @- << EOF
{
"queryString" : "",
"isLive" : true,
"start" : "10s"
}
EOFMac OS or Linux (curl) One-line curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query \
-H "Accept: application/x-ndjson" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d @- << EOF
{
\"queryString\" : \"\",
\"isLive\" : true,
\"start\" : \"10s\"
}
EOFWindows Cmd and curl curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query ^
-H "Accept: application/x-ndjson" ^
-H "Authorization: Bearer $TOKEN" ^
-H "Content-Type: application/json" ^
-d @'{ ^
\"queryString\" : \"\", ^
\"isLive\" : true, ^
\"start\" : \"10s\" ^
} ^
'Windows Powershell and curl curl.exe -X POST
-H "Accept: application/x-ndjson"
-H "Authorization: Bearer $TOKEN "
-H "Content-Type: application/json"
-d '{
\"start\" : \"10s\",
\"queryString\" : \"\",
\"isLive\" : true
}
'
"https://$YOUR_LOGSCALE_URL /api/v1/repositories/$REPOSITORY_NAME /query" Perl
use HTTP::Request;
use LWP;
my $INGEST_TOKEN = "TOKEN" ;
my $uri = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query' ;
my $json = '{
\"isLive\" : true,
\"queryString\" : \"\",
\"start\" : \"10s\"
}
' ;
my $req = HTTP::Request->new("POST" , $uri );
$req->header("Accept" => "application/x-ndjson" );
$req->header("Authorization" => "Bearer $TOKEN" );
$req->header("Content-Type" => "application/json" );
$req->content( $json );
my $lwp = LWP::UserAgent->new;
my $result = $lwp->request( $req );
print $result->{"_content" },"\n" ;Python
import requests
url = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query'
mydata = r'''{
"start" : "10s",
"isLive" : true,
"queryString" : ""
}
'''
resp = requests.post(url,
data = mydata,
headers = {
"Accept" : "application/x-ndjson" ,
"Authorization" : "Bearer $TOKEN" ,
"Content-Type" : "application/json"
}
)
print (resp.text)Node.js const https = require ('https' );
const data = JSON .stringify (
{
\"start\" : \"10s\",
\"isLive\" : true,
\"queryString\" : \"\"
}
);
const options = {
hostname: 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query',
path: '/graphql',
port: 443,
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Content-Length': data.length,
Authorization: 'BEARER ' + process.env.TOKEN,
'User-Agent': 'Node',
},
};
const req = https.request(options, (res) => {
let data = '';
console.log(`statusCode: ${res.statusCode}`);
res.on('data', (d) => {
data += d;
});
res.on('end', () => {
console.log(JSON.parse(data).data);
});
});
req.on('error', (error) => {
console.error(error);
});
req.write(data);
req.end();
Aggregate Query Returning Standard JSON
This query groups results by service and counts the number of events for
each service. The query blocks until it is complete and returns events
as a JSON array:
Show:
Raw Mac OS or Linux (curl) Mac OS or Linux (curl) One-line Windows Cmd and curl Windows Powershell and curl Perl Python Node.js
Raw {
"queryString" : "count()" ,
"isLive" : false ,
"start" : "1h" ,
"end" : "now"
} Mac OS or Linux (curl) curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query \
-H "Accept: application/x-ndjson" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d @- << EOF
{
"start" : "1h",
"end" : "now",
"isLive" : false,
"queryString" : "count()"
}
EOFMac OS or Linux (curl) One-line curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query \
-H "Accept: application/x-ndjson" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d @- << EOF
{
\"start\" : \"1h\",
\"end\" : \"now\",
\"queryString\" : \"count()\",
\"isLive\" : false
}
EOFWindows Cmd and curl curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query ^
-H "Accept: application/x-ndjson" ^
-H "Authorization: Bearer $TOKEN" ^
-H "Content-Type: application/json" ^
-d @'{ ^
\"queryString\" : \"count()\", ^
\"isLive\" : false, ^
\"end\" : \"now\", ^
\"start\" : \"1h\" ^
} ^
'Windows Powershell and curl curl.exe -X POST
-H "Accept: application/x-ndjson"
-H "Authorization: Bearer $TOKEN "
-H "Content-Type: application/json"
-d '{
\"start\" : \"1h\",
\"end\" : \"now\",
\"isLive\" : false,
\"queryString\" : \"count()\"
}
'
"https://$YOUR_LOGSCALE_URL /api/v1/repositories/$REPOSITORY_NAME /query" Perl
use HTTP::Request;
use LWP;
my $INGEST_TOKEN = "TOKEN" ;
my $uri = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query' ;
my $json = '{
\"queryString\" : \"count()\",
\"isLive\" : false,
\"end\" : \"now\",
\"start\" : \"1h\"
}
' ;
my $req = HTTP::Request->new("POST" , $uri );
$req->header("Accept" => "application/x-ndjson" );
$req->header("Authorization" => "Bearer $TOKEN" );
$req->header("Content-Type" => "application/json" );
$req->content( $json );
my $lwp = LWP::UserAgent->new;
my $result = $lwp->request( $req );
print $result->{"_content" },"\n" ;Python
import requests
url = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query'
mydata = r'''{
"start" : "1h",
"end" : "now",
"isLive" : false,
"queryString" : "count()"
}
'''
resp = requests.post(url,
data = mydata,
headers = {
"Accept" : "application/x-ndjson" ,
"Authorization" : "Bearer $TOKEN" ,
"Content-Type" : "application/json"
}
)
print (resp.text)Node.js const https = require ('https' );
const data = JSON .stringify (
{
\"queryString\" : \"count()\",
\"isLive\" : false,
\"end\" : \"now\",
\"start\" : \"1h\"
}
);
const options = {
hostname: 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query',
path: '/graphql',
port: 443,
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Content-Length': data.length,
Authorization: 'BEARER ' + process.env.TOKEN,
'User-Agent': 'Node',
},
};
const req = https.request(options, (res) => {
let data = '';
console.log(`statusCode: ${res.statusCode}`);
res.on('data', (d) => {
data += d;
});
res.on('end', () => {
console.log(JSON.parse(data).data);
});
});
req.on('error', (error) => {
console.error(error);
});
req.write(data);
req.end(); 
