Search API
The Search API is the primary endpoint for running queries for a specific repository or view. Using this API there are three basic methods for running queries:
Query jobs is the recommended method for submitting queries. This API provide an asynchronous method for submitted queries, allowing a request to be submited, with the results accessed later without the client having to actively wait for a response. Query jobs are useful if you have repetitive queries, as the results are returned when the job is polled.
A live search request returns information as a stream of data that will be updated as new events are ingested into the repository. Live queries return any immediate results and then stream additional results after ingest, leaving the request open to stream additional data.
The basic query allows a sigle, blocking, query to be submitted. This form of query allows for the request and specified timespan to return the matching events.
For a list of the supported endpoint and methods, see the table below.
Table:
| HTTP Method | URI | Description |
|---|---|---|
GET | /api/v1/repositories/ | Request the current query status and results |
POST | /api/v1/repositories/ | Create a query job |
DELETE | /api/v1/repositories/ | Delete a previously created query job |
POST | /api/v1/repositories/ | Submit a search query |
The API returns the query information, but when the data is returned is determined by the type of the query being executed. The endpoint streams results as soon as they are calculated, but a basic type filter query returns the information as soon at is returned. For aggregate queries, the time of delivery changes. The following table shows the differences between these query types.
| Query Type | Live Query | Standard Query |
|---|---|---|
| Filter | Streaming | Streaming |
| Aggregate | Error - use query jobs | Streaming - result only at end |
The endpoint streams results for filter queries as they happen.
For aggregate standard queries, the result is not ready until the query has processed all events in the specified query interval. The request is blocked until the result is ready. It is at this point that LogScale sends the result back.
For aggregate live queries, this endpoint returns an error. What you want in this situation is to get a snapshot of the complete result set at certain points in time (fx every second), but the query end point does not support this behavior. Instead, you should use the query job endpoint and then poll the result when you need it. For more information on live queries, see polling query endpoint.
Returned Event Count
To return more the default 200 events, the
tail() function can be added to the
submitted query, just as in a query through the UI. No
tail() function is included
by default to a query.
For example, to execute a query and return 1000 rows each time the job is accessed:
{
"queryString" : "localhost | tail(1000)",
"start" : "1h",
"end" : "now",
"isLive" : false
}curl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d @- << EOF
{
"isLive" : false,
"start" : "1h",
"end" : "now",
"queryString" : "localhost | tail(1000)"
}
EOFcurl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d @- << EOF
{
\"isLive\" : false,
\"end\" : \"now\",
\"start\" : \"1h\",
\"queryString\" : \"localhost | tail(1000)\"
}
EOFcurl -v -X POST https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query ^
-H "Authorization: Bearer $TOKEN" ^
-H "Content-Type: application/json" ^
-d @'{ ^
\"end\" : \"now\", ^
\"start\" : \"1h\", ^
\"isLive\" : false, ^
\"queryString\" : \"localhost | tail(1000)\" ^
} ^
'curl.exe -X POST
-H "Authorization: Bearer $TOKEN"
-H "Content-Type: application/json"
-d '{
\"queryString\" : \"localhost | tail(1000)\",
\"start\" : \"1h\",
\"end\" : \"now\",
\"isLive\" : false
}
'
"https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query"#!/usr/bin/perl
use HTTP::Request;
use LWP;
my $INGEST_TOKEN = "TOKEN";
my $uri = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query';
my $json = '{
\"isLive\" : false,
\"end\" : \"now\",
\"start\" : \"1h\",
\"queryString\" : \"localhost | tail(1000)\"
}
';
my $req = HTTP::Request->new("POST", $uri );
$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");
$req->content( $json );
my $lwp = LWP::UserAgent->new;
my $result = $lwp->request( $req );
print $result->{"_content"},"\n";#! /usr/local/bin/python3
import requests
url = 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query'
mydata = r'''{
"queryString" : "localhost | tail(1000)",
"end" : "now",
"start" : "1h",
"isLive" : false
}
'''
resp = requests.post(url,
data = mydata,
headers = {
"Authorization" : "Bearer $TOKEN",
"Content-Type" : "application/json"
}
)
print(resp.text)const https = require('https');
const data = JSON.stringify(
{
\"queryString\" : \"localhost | tail(1000)\",
\"isLive\" : false,
\"end\" : \"now\",
\"start\" : \"1h\"
}
);
const options = {
hostname: 'https://$YOUR_LOGSCALE_URL/api/v1/repositories/$REPOSITORY_NAME/query',
path: '/graphql',
port: 443,
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Content-Length': data.length,
Authorization: 'BEARER ' + process.env.TOKEN,
'User-Agent': 'Node',
},
};
const req = https.request(options, (res) => {
let data = '';
console.log(`statusCode: ${res.statusCode}`);
res.on('data', (d) => {
data += d;
});
res.on('end', () => {
console.log(JSON.parse(data).data);
});
});
req.on('error', (error) => {
console.error(error);
});
req.write(data);
req.end();