Search API Time Specification
There are two ways of specifying the start and end time for a query:
Absolute Time
With absolute time, you specify a number that expresses the precise time in milliseconds since the Unix epoch (Unix time) in the UTC/Zulu time zone. This method is shown in the following example:
{
"queryString": "css",
"start": 1473449370018,
"end": 1473535816755
}
Relative Time
With relative time, you specify the start and end time as a relative
time such as
1minute
or
24hours
.
Falcon LogScale supports this using relative time modifiers.
LogScale treats the start and end times as relative times if you
specify them as strings.
When providing a timestamp, relative time modifiers are specified relative to "now".
See the Relative Time Syntax reference page.
Note
Relative time modifiers are always relative to now.
This method is shown in the following examples:
Search the last 24 hours:
{
"queryString": "ERROR",
"start": "24hours",
"end": "now"
}
You can also mix relative and absolute time modifiers. For example, to search from a specified moment in time until two days ago:
{
"queryString": "loglevel=ERROR",
"start": 1473449370018,
"end": "2days"
}
Advanced time selection is also available using the Advanced Time Syntax.
Note
Omitted and required arguments: LogScale has defined behavior
when you omit time arguments: if you omit the
end
argument, it gets the default value now;
and if you omit the start
argument, it gets the
default value of 24hours
. For
*_live queries_*, you
must either set end to now
, or omit it. You must
set start
to a relative time modifier.
Live Query Streaming All Events
This live query returns an empty search, finding all events in a time window going 10 seconds back in time.
Notice the ACCEPT
header. This tells the server to stream data as
Newline Delimited
JSON.
{
"isLive" : true,
"start" : "10s",
"queryString" : ""
}
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query \
-H "Accept: application/x-ndjson" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d @- << EOF
{
"start" : "10s",
"isLive" : true,
"queryString" : ""
}
EOF
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query \
-H "Accept: application/x-ndjson" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d @- << EOF
{
\"isLive\" : true,
\"start\" : \"10s\",
\"queryString\" : \"\"
}
EOF
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query ^
-H "Accept: application/x-ndjson" ^
-H "Authorization: Bearer $TOKEN" ^
-H "Content-Type: application/json" ^
-d @'{ ^
\"queryString\" : \"\", ^
\"start\" : \"10s\", ^
\"isLive\" : true ^
} ^
'
curl.exe -X POST
-H "Accept: application/x-ndjson"
-H "Authorization: Bearer $TOKEN"
-H "Content-Type: application/json"
-d '{
\"isLive\" : true,
\"start\" : \"10s\",
\"queryString\" : \"\"
}
'
"https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query"
#!/usr/bin/perl
use HTTP::Request;
use LWP;
my $INGEST_TOKEN = "TOKEN";
my $uri = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query';
my $json = '{
\"queryString\" : \"\",
\"isLive\" : true,
\"start\" : \"10s\"
}
';
my $req = HTTP::Request->new("POST", $uri );
$req->header("Accept" => "application/x-ndjson");
$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");
$req->content( $json );
my $lwp = LWP::UserAgent->new;
my $result = $lwp->request( $req );
print $result->{"_content"},"\n";
#! /usr/local/bin/python3
import requests
url = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query'
mydata = r'''{
"queryString" : "",
"isLive" : true,
"start" : "10s"
}
'''
resp = requests.post(url,
data = mydata,
headers = {
"Accept" : "application/x-ndjson",
"Authorization" : "Bearer $TOKEN",
"Content-Type" : "application/json"
}
)
print(resp.text)
const https = require('https');
const data = JSON.stringify(
{
\"isLive\" : true,
\"start\" : \"10s\",
\"queryString\" : \"\"
}
);
const options = {
hostname: 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query',
path: '/graphql',
port: 443,
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Content-Length': data.length,
Authorization: 'BEARER ' + process.env.TOKEN,
'User-Agent': 'Node',
},
};
const req = https.request(options, (res) => {
let data = '';
console.log(`statusCode: ${res.statusCode}`);
res.on('data', (d) => {
data += d;
});
res.on('end', () => {
console.log(JSON.parse(data).data);
});
});
req.on('error', (error) => {
console.error(error);
});
req.write(data);
req.end();
Aggregate Query Returning Standard JSON
This query groups results by service and counts the number of events for each service. The query blocks until it is complete and returns events as a JSON array:
{
"end" : "now",
"start" : "1h",
"isLive" : false,
"queryString" : "count()"
}
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query \
-H "Accept: application/x-ndjson" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d @- << EOF
{
"queryString" : "count()",
"end" : "now",
"isLive" : false,
"start" : "1h"
}
EOF
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query \
-H "Accept: application/x-ndjson" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d @- << EOF
{
\"start\" : \"1h\",
\"isLive\" : false,
\"end\" : \"now\",
\"queryString\" : \"count()\"
}
EOF
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query ^
-H "Accept: application/x-ndjson" ^
-H "Authorization: Bearer $TOKEN" ^
-H "Content-Type: application/json" ^
-d @'{ ^
\"end\" : \"now\", ^
\"isLive\" : false, ^
\"start\" : \"1h\", ^
\"queryString\" : \"count()\" ^
} ^
'
curl.exe -X POST
-H "Accept: application/x-ndjson"
-H "Authorization: Bearer $TOKEN"
-H "Content-Type: application/json"
-d '{
\"queryString\" : \"count()\",
\"end\" : \"now\",
\"isLive\" : false,
\"start\" : \"1h\"
}
'
"https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query"
#!/usr/bin/perl
use HTTP::Request;
use LWP;
my $INGEST_TOKEN = "TOKEN";
my $uri = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query';
my $json = '{
\"start\" : \"1h\",
\"isLive\" : false,
\"end\" : \"now\",
\"queryString\" : \"count()\"
}
';
my $req = HTTP::Request->new("POST", $uri );
$req->header("Accept" => "application/x-ndjson");
$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");
$req->content( $json );
my $lwp = LWP::UserAgent->new;
my $result = $lwp->request( $req );
print $result->{"_content"},"\n";
#! /usr/local/bin/python3
import requests
url = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query'
mydata = r'''{
"queryString" : "count()",
"isLive" : false,
"start" : "1h",
"end" : "now"
}
'''
resp = requests.post(url,
data = mydata,
headers = {
"Accept" : "application/x-ndjson",
"Authorization" : "Bearer $TOKEN",
"Content-Type" : "application/json"
}
)
print(resp.text)
const https = require('https');
const data = JSON.stringify(
{
\"isLive\" : false,
\"start\" : \"1h\",
\"end\" : \"now\",
\"queryString\" : \"count()\"
}
);
const options = {
hostname: 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query',
path: '/graphql',
port: 443,
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Content-Length': data.length,
Authorization: 'BEARER ' + process.env.TOKEN,
'User-Agent': 'Node',
},
};
const req = https.request(options, (res) => {
let data = '';
console.log(`statusCode: ${res.statusCode}`);
res.on('data', (d) => {
data += d;
});
res.on('end', () => {
console.log(JSON.parse(data).data);
});
});
req.on('error', (error) => {
console.error(error);
});
req.write(data);
req.end();