Search API Time Specification
There are two ways of specifying the start and end time for a query:
Absolute Time
With absolute time, you specify a number that expresses the precise time in milliseconds since the Unix epoch (Unix time) in the UTC/Zulu time zone. This method is shown in the following example:
{
"queryString": "css",
"start": 1473449370018,
"end": 1473535816755
}Relative Time
With relative time, you specify the start and end time as a relative
time such as
1minute or
24hours. LogScale
supports this using relative time modifiers. LogScale treats the start
and end times as relative times if you specify them as strings.
When providing a timestamp, relative time modifiers are specified relative to "now".
See the Relative Time Syntax reference page.
Note
Relative time modifiers are always relative to now.
This method is shown in the following examples:
Search the last 24 hours:
{
"queryString": "ERROR",
"start": "24hours",
"end": "now"
}You can also mix relative and absolute time modifiers. For example, to search from a specified moment in time until two days ago:
{
"queryString": "loglevel=ERROR",
"start": 1473449370018,
"end": "2days"
}Note
Omitted and required arguments: LogScale has defined behavior when you omit time arguments: if you omit the`end` argument, it gets the default value now; and if you omit the start argument, it gets the default value of 24hours. For *_live queries_*, you must either set end to "now", or omit it. You must set start to a relative time modifier.
Live Query Streaming All Events
This live query returns an empty search, finding all events in a time window going 10 seconds back in time.
Notice the ACCEPT
header. This tells the server to stream data as
Newline Delimited JSON.
{
"start" : "10s",
"queryString" : "",
"isLive" : true
}curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query \
-H "Accept: application/x-ndjson" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d @- << EOF
{"query" : "{
\"start\" : \"10s\",
\"queryString\" : \"\",
\"isLive\" : true
}
"
}
EOFcurl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query \
-H "Accept: application/x-ndjson" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json"curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query ^
-H "Accept: application/x-ndjson" ^
-H "Authorization: Bearer $TOKEN" ^
-H "Content-Type: application/json" ^
-d @'{"query" : "{ ^
\"start\" : \"10s\", ^
\"queryString\" : \"\", ^
\"isLive\" : true ^
} ^
" ^
} 'curl.exe -X POST
-H "Accept: application/x-ndjson"
-H "Authorization: Bearer $TOKEN"
-H "Content-Type: application/json"
-d '{"query" : "{
\"queryString\" : \"\",
\"isLive\" : true,
\"start\" : \"10s\"
}
"
}'
"https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query"#!/usr/bin/perl
use HTTP::Request;
use LWP;
my $TOKEN = "TOKEN";
my $uri = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query';
my $json = '{"query" : "{
\"start\" : \"10s\",
\"isLive\" : true,
\"queryString\" : \"\"
}
"
}';
my $req = HTTP::Request->new("POST", $uri );
$req->header("Accept" => "application/x-ndjson");
$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");
$req->content( $json );
my $lwp = LWP::UserAgent->new;
my $result = $lwp->request( $req );
print $result->{"_content"},"\n";#! /usr/local/bin/python3
import requests
url = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query'
mydata = r'''{"query" : "{
\"start\" : \"10s\",
\"isLive\" : true,
\"queryString\" : \"\"
}
"
}'''
resp = requests.post(url,
data = mydata,
headers = {
"Accept" : "application/x-ndjson",
"Authorization" : "Bearer $TOKEN",
"Content-Type" : "application/json"
}
)
print(resp.text)const https = require('https');
const data = JSON.stringify(
{"query" : "{
\"start\" : \"10s\",
\"queryString\" : \"\",
\"isLive\" : true
}
"
}
);
const options = {
hostname: 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query',
path: '/graphql',
port: 443,
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Content-Length': data.length,
Authorization: 'BEARER ' + process.env.TOKEN,
'User-Agent': 'Node',
},
};
const req = https.request(options, (res) => {
let data = '';
console.log(`statusCode: ${res.statusCode}`);
res.on('data', (d) => {
data += d;
});
res.on('end', () => {
console.log(JSON.parse(data).data);
});
});
req.on('error', (error) => {
console.error(error);
});
req.write(data);
req.end();Aggregate Query Returning Standard JSON
This query groups results by service and counts the number of events for each service. The query blocks until it is complete and returns events as a JSON array:
{
"start" : "1h",
"queryString" : "count()",
"end" : "now",
"isLive" : false
}curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query \
-H "Accept: application/x-ndjson" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d @- << EOF
{"query" : "{
\"isLive\" : false,
\"queryString\" : \"count()\",
\"end\" : \"now\",
\"start\" : \"1h\"
}
"
}
EOFcurl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query \
-H "Accept: application/x-ndjson" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json"curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query ^
-H "Accept: application/x-ndjson" ^
-H "Authorization: Bearer $TOKEN" ^
-H "Content-Type: application/json" ^
-d @'{"query" : "{ ^
\"isLive\" : false, ^
\"queryString\" : \"count()\", ^
\"end\" : \"now\", ^
\"start\" : \"1h\" ^
} ^
" ^
} 'curl.exe -X POST
-H "Accept: application/x-ndjson"
-H "Authorization: Bearer $TOKEN"
-H "Content-Type: application/json"
-d '{"query" : "{
\"queryString\" : \"count()\",
\"end\" : \"now\",
\"isLive\" : false,
\"start\" : \"1h\"
}
"
}'
"https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query"#!/usr/bin/perl
use HTTP::Request;
use LWP;
my $TOKEN = "TOKEN";
my $uri = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query';
my $json = '{"query" : "{
\"end\" : \"now\",
\"queryString\" : \"count()\",
\"isLive\" : false,
\"start\" : \"1h\"
}
"
}';
my $req = HTTP::Request->new("POST", $uri );
$req->header("Accept" => "application/x-ndjson");
$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");
$req->content( $json );
my $lwp = LWP::UserAgent->new;
my $result = $lwp->request( $req );
print $result->{"_content"},"\n";#! /usr/local/bin/python3
import requests
url = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query'
mydata = r'''{"query" : "{
\"start\" : \"1h\",
\"isLive\" : false,
\"end\" : \"now\",
\"queryString\" : \"count()\"
}
"
}'''
resp = requests.post(url,
data = mydata,
headers = {
"Accept" : "application/x-ndjson",
"Authorization" : "Bearer $TOKEN",
"Content-Type" : "application/json"
}
)
print(resp.text)const https = require('https');
const data = JSON.stringify(
{"query" : "{
\"start\" : \"1h\",
\"end\" : \"now\",
\"queryString\" : \"count()\",
\"isLive\" : false
}
"
}
);
const options = {
hostname: 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query',
path: '/graphql',
port: 443,
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Content-Length': data.length,
Authorization: 'BEARER ' + process.env.TOKEN,
'User-Agent': 'Node',
},
};
const req = https.request(options, (res) => {
let data = '';
console.log(`statusCode: ${res.statusCode}`);
res.on('data', (d) => {
data += d;
});
res.on('end', () => {
console.log(JSON.parse(data).data);
});
});
req.on('error', (error) => {
console.error(error);
});
req.write(data);
req.end();