Search API Time Specification

There are two ways of specifying the start and end time for a query:

Absolute Time

With absolute time, you specify a number that expresses the precise time in milliseconds since the Unix epoch (Unix time) in the UTC/Zulu time zone. This method is shown in the following example:

json
{
  "queryString": "css",
  "start": 1473449370018,
  "end": 1473535816755
}

Relative Time

With relative time, you specify the start and end time as a relative time such as 1minute or 24hours. Falcon LogScale supports this using relative time modifiers. LogScale treats the start and end times as relative times if you specify them as strings.

When providing a timestamp, relative time modifiers are specified relative to "now".

See the Relative Time Syntax reference page.

Note

Relative time modifiers are always relative to now.

This method is shown in the following examples:

Search the last 24 hours:

json
{
  "queryString": "ERROR",
  "start": "24hours",
  "end": "now"
}

You can also mix relative and absolute time modifiers. For example, to search from a specified moment in time until two days ago:

json
{
  "queryString": "loglevel=ERROR",
  "start": 1473449370018,
  "end": "2days"
}

Advanced time selection is also available using the Advanced Time Syntax.

Note

Omitted and required arguments: LogScale has defined behavior when you omit time arguments: if you omit the end argument, it gets the default value now; and if you omit the start argument, it gets the default value of 24hours. For *_live queries_*, you must either set end to now, or omit it. You must set start to a relative time modifier.

Live Query Streaming All Events

This live query returns an empty search, finding all events in a time window going 10 seconds back in time.

Notice the ACCEPT header. This tells the server to stream data as Newline Delimited JSON.

Raw
json
{
   "isLive" : true,
   "start" : "10s",
   "queryString" : ""
}
Mac OS or Linux (curl)
shell
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query \
    -H "Accept: application/x-ndjson" \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{
   "start" : "10s",
   "isLive" : true,
   "queryString" : ""
}

EOF
Mac OS or Linux (curl) One-line
shell
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query \
    -H "Accept: application/x-ndjson" \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{
   \"isLive\" : true,
   \"start\" : \"10s\",
   \"queryString\" : \"\"
}

EOF
Windows Cmd and curl
shell
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query ^
    -H "Accept: application/x-ndjson" ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{ ^
   \"queryString\" : \"\", ^
   \"start\" : \"10s\", ^
   \"isLive\" : true ^
} ^
 '
Windows Powershell and curl
powershell
curl.exe -X POST 
    -H "Accept: application/x-ndjson"
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{
   \"isLive\" : true,
   \"start\" : \"10s\",
   \"queryString\" : \"\"
}
'
    "https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query"
Perl
perl
#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $INGEST_TOKEN = "TOKEN";

my $uri = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query';

my $json = '{
   \"queryString\" : \"\",
   \"isLive\" : true,
   \"start\" : \"10s\"
}
';
my $req = HTTP::Request->new("POST", $uri );

$req->header("Accept" => "application/x-ndjson");
$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";
Python
python
#! /usr/local/bin/python3

import requests

url = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query'
mydata = r'''{
   "queryString" : "",
   "isLive" : true,
   "start" : "10s"
}
'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Accept" : "application/x-ndjson",
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)
Node.js
javascript
const https = require('https');

const data = JSON.stringify(
    {
   \"isLive\" : true,
   \"start\" : \"10s\",
   \"queryString\" : \"\"
}

);


const options = {
  hostname: 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

Aggregate Query Returning Standard JSON

This query groups results by service and counts the number of events for each service. The query blocks until it is complete and returns events as a JSON array:

Raw
json
{
   "end" : "now",
   "start" : "1h",
   "isLive" : false,
   "queryString" : "count()"
}
Mac OS or Linux (curl)
shell
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query \
    -H "Accept: application/x-ndjson" \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{
   "queryString" : "count()",
   "end" : "now",
   "isLive" : false,
   "start" : "1h"
}

EOF
Mac OS or Linux (curl) One-line
shell
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query \
    -H "Accept: application/x-ndjson" \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{
   \"start\" : \"1h\",
   \"isLive\" : false,
   \"end\" : \"now\",
   \"queryString\" : \"count()\"
}

EOF
Windows Cmd and curl
shell
curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query ^
    -H "Accept: application/x-ndjson" ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{ ^
   \"end\" : \"now\", ^
   \"isLive\" : false, ^
   \"start\" : \"1h\", ^
   \"queryString\" : \"count()\" ^
} ^
 '
Windows Powershell and curl
powershell
curl.exe -X POST 
    -H "Accept: application/x-ndjson"
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{
   \"queryString\" : \"count()\",
   \"end\" : \"now\",
   \"isLive\" : false,
   \"start\" : \"1h\"
}
'
    "https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query"
Perl
perl
#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $INGEST_TOKEN = "TOKEN";

my $uri = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query';

my $json = '{
   \"start\" : \"1h\",
   \"isLive\" : false,
   \"end\" : \"now\",
   \"queryString\" : \"count()\"
}
';
my $req = HTTP::Request->new("POST", $uri );

$req->header("Accept" => "application/x-ndjson");
$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";
Python
python
#! /usr/local/bin/python3

import requests

url = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query'
mydata = r'''{
   "queryString" : "count()",
   "isLive" : false,
   "start" : "1h",
   "end" : "now"
}
'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Accept" : "application/x-ndjson",
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)
Node.js
javascript
const https = require('https');

const data = JSON.stringify(
    {
   \"isLive\" : false,
   \"start\" : \"1h\",
   \"end\" : \"now\",
   \"queryString\" : \"count()\"
}

);


const options = {
  hostname: 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();