API Stability Long-Term

The blockedQueries() GraphQL query fetches the list of blocked query patterns.

Related to this query are the mutation fields addToBlocklist() blocklist a pattern matching query, addToBlocklistById() blocklist a specific query, and removeFromBlocklist() to remove a query from a blocklist.

To get a list of blocking queries using the UI, see the Blocking Queries page in the main documentation.

Syntax

graphql
blockedQueries(
      clusterWide: boolean, 
      includeBlockedQueriesForDeletedOrganizations: boolean
   ): [BlockedQuery]

There are no special input datatypes given. For clusterWide, enter true to return all blocked queries within the cluster. This requires the ManageCluster permission. For includeBlockedQueriesForDeletedOrganizations, set it to true to include blocked queries for organizations that have been deleted. Neither parameter is required and the default for both is false.

The results can include a regex pattern used to filter queries before they are executed. You can also get related data (e.g., data on the associated view, when blocking expires).

Example

Below is an example of this query field with a few return values requested:

Raw
graphql
query {
	blockedQueries 
	  { id, type, pattern }
}
Mac OS or Linux (curl)
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "query {
	blockedQueries 
	  { id, type, pattern }
}"
}
EOF
Mac OS or Linux (curl) One-line
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "query {
	blockedQueries 
	  { id, type, pattern }
}"
}
EOF
Windows Cmd and curl
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "query { ^
	blockedQueries  ^
	  { id, type, pattern } ^
}" ^
} '
Windows Powershell and curl
powershell
curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "query {
	blockedQueries 
	  { id, type, pattern }
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"
Perl
perl
#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $query = "query {
	blockedQueries 
	  { id, type, pattern }
}";
$query =~ s/\n/ /g;
my $json = sprintf('{"query" : "%s"}',$query);
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";
Python
python
#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "query {
	blockedQueries 
	  { id, type, pattern }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)
Node.js
javascript
const https = require('https');

const data = JSON.stringify(
    {"query" : "query {
	blockedQueries 
	  { id, type, pattern }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL',
  path: 'graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();
Example Responses
Success (HTTP Response Code 200 OK)
json
{
  "data": {
    "blockedQueries": [
      {
        "id": "abc123",
        "type": "REGEX",
        "pattern": "#type=humio"
      },
      {
        "id": "def456",
        "type": "REGEX",
        "pattern": "#type=testerroo"
      }
    ]
  }
}

Notice that the example above requests three values, separated by commas. Since there were two blocked queries, two sets of values were returned, each in square brackets.

Returned Datatype

The main result you'll probably want returned is the regex pattern used to filter queries before they are executed. You can also get data on the associated view, when blocking expires, whether the current user is allowed the remove blocking. Below is a list of what can be requested, along with a description of each:

Table: BlockedQuery

ParameterTypeRequiredDefaultStabilityDescription
Some arguments may be required, as indicated in the Required column. For return datatypes, this indicates that you must specify which fields you want returned in the results.
Table last updated: Sep 24, 2024
expiresAtdatetime  Long-TermThe date and time in which any matching queries will cease to be blocked.
expiresInMillisecondsinteger  Long-TermThe amount of milliseconds until any matching queries won't be blocked.
idstringyes Long-TermThe unique identifier of the blocked query.
limitedToOrganizationbooleanyes Long-TermWhether the blocked query should be limited to the organization.
organizationOrganization  Long-TermThe organization associated with the view, if any. See Organization.
patternstringyes Long-TermThe exact or regular expression pattern used to match queries to block.
typeBlockedQueryMatcherTypeyes Long-TermHow the pattern should be matched (e.g., as a regular expression). See BlockedQueryMatcherType .
unblockAllowedbooleanyes Long-TermWhether the current user is allowed to unblock the query.
viewView  Long-TermThe related view, if any. See View.