The searchDomain() GraphQL query is used to search a domain (for example the list of internal views, repositories, packages) within LogScale.

Syntax

Below is the syntax for the searchDomain() query field:

graphql
searchDomain(
     name: string!
   ): SearchDomain!

This query field has one input, but the returned datatype has many parameters. See the Returned Datatypes section for details. Below is an example using this query field:

Raw
graphql
query {
  searchDomain(name:"humio")
  {id, name, 
   installedPackages {
    id, availableUpdate, package{ name } }
  }
}
Mac OS or Linux (curl)
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "query {
  searchDomain(name:\"humio\")
  {id, name, 
   installedPackages {
    id, availableUpdate, package{ name } }
  }
}"
}
EOF
Mac OS or Linux (curl) One-line
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "query {
  searchDomain(name:\"humio\")
  {id, name, 
   installedPackages {
    id, availableUpdate, package{ name } }
  }
}"
}
EOF
Windows Cmd and curl
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "query { ^
  searchDomain(name:\"humio\") ^
  {id, name,  ^
   installedPackages { ^
    id, availableUpdate, package{ name } } ^
  } ^
}" ^
} '
Windows Powershell and curl
powershell
curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "query {
  searchDomain(name:\"humio\")
  {id, name, 
   installedPackages {
    id, availableUpdate, package{ name } }
  }
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"
Perl
perl
#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $INGEST_TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $json = '{"query" : "query {
  searchDomain(name:\"humio\")
  {id, name, 
   installedPackages {
    id, availableUpdate, package{ name } }
  }
}"
}';
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";
Python
python
#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "query {
  searchDomain(name:\"humio\")
  {id, name, 
   installedPackages {
    id, availableUpdate, package{ name } }
  }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)
Node.js
javascript
const https = require('https');

const data = JSON.stringify(
    {"query" : "query {
  searchDomain(name:\"humio\")
  {id, name, 
   installedPackages {
    id, availableUpdate, package{ name } }
  }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL/graphql',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();
Example Responses
Success (HTTP Response Code 200 OK)
json
{
  "data": {
    "searchDomain": {
      "id": "aK9GKAsTnMXfRxT8Fpecx3fX",
      "name": "humio",
      "installedPackages": [
        {
          "id": "humio/insights@0.0.14",
          "availableUpdate": null,
          "package": {
            "name": "insights"
          }
        }
      ]
    }
  }
}

Returned Datatypes

The returned datatype searchDomain has several parameters and sub-parameters. Below is a list of parameters with links to the sub-parameters:

Table: SearchDomain

ParameterTypeRequiredDefaultDescription
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Oct 8, 2024
actionmultipleyes A saved action. The multiple datatype consists of (id: string): Action. See Action.
actionsActionyes A list of saved actions. See Action.
aggregateAlertmultipleyes A saved aggregate alert. The multiple datatype consists of (id: string): AggregateAlert. See AggregateAlert.
aggregateAlerts[AggregateAlert]yes A list of saved aggregate alerts. See AggregateAlert.
alertmultipleyes A saved alert. The multiple datatype consists of (id: string): Alert. See Alert.
alerts[Alert]yes Saved alerts. See Alert.
allowedViewActions[ViewAction]yes Returns the all actions the user is allowed to perform on the view. See ViewAction.
automaticSearchbooleanyes Whether to execute automatically the default search query.
availablePackagesmultipleyes Returns a list of available packages that can be installed. The multiple datatype consists of (filter: string, tags: [PackageTag], categories: [string]): [PackageRegistrySearchResultItem]. PackageTag is a scalar. See PackageRegistrySearchResultItem.
Dashboardmultipleyes The default or initial Dashboard to use. The multiple datatype consists of (id: string): Dashboard. See Dashboard).
dashboards[Dashboard]yes All dashboards available on the view. See Dashboard.
defaultQuerySavedQueryyes The default query used for the search domain when none is selected. Ssee SavedQuery.
deletedDatelong  The point in time the search domain was marked for deletion.
descriptionstring  A description of the search domain.
fileFieldSearchmultipleyes Used to search fields in a CSV or JSON file. The multiple datatype consists of fileFieldSearch(fileName: string, fieldName: string, prefixFilter: string, valueFilters: [FileFieldFilterType], fieldsToInclude: [string], maxEntries: integer): [[DictionaryEntryType]]. See FileFieldFilterType and DictionaryEntryType.
files[File]yes Files belonging to the search domain. See File.
filterAlertmultipleyes A saved filter alert. The multiple datatype consists of (id: string): FilterAlert. See FilterAlert.
filterAlerts[FilterAlert]yes Saved filter alerts. See FilterAlert.
groups[Group]yes Groups with assigned roles. See Group.
hasPackageInstalledmultipleyes Whether there is an installed package. The multiple datatype consists of (packageId: VersionedPackageSpecifier): boolean. VersionedPackageSpecifier is a scalar.
idstringyes The unique identifier for the search domain.
installedPackages[PackageInstallation]yes List packages installed on a specific view or repository. See PackageInstallation.
interactions[ViewInteraction]yes All interactions defined on the view. See ViewInteraction.
isActionAllowedmultipleyes Whether the current user is allowed to perform the action. The multiple datatype consists of (action: ViewAction): boolean. See ViewAction.
isStarredbooleanyes Whether the search domain is highlighted with a star.
NameRepoOrViewNameyes The name of the search domain. RepoOrViewName is a scalar.
packageV2multipleyes Returns a specific version of a package given a package version. The multiple datatype consists of (packageId: VersionedPackageSpecifier): Package2. VersionedPackageSpecifier is a scalar value. See Package2.
packageVersionsmultipleyes 

The available versions of a package. This is a preview and may be moved to the Package2.

The multiple datatype consists of (packageId: UnversionedPackageSpecifier): [RegistryPackageVersionInfo]. UnversionedPackageSpecifier is a scalar. See RegistryPackageVersionInfo.

permanentlyDeletedAtlong  The point in time the search domain will not be restorable anymore.
recentQueriesV2[RecentQuery]yes All recent queries for the search domain. See RecentQuery.
reposExcludedInSearchLimit[string]yes Repositories not part of the search limitation.
savedQueries[SavedQuery]yes The saved queries. See SavedQuery.
savedQuerymultipleyes A saved query. The multiple datatype consists of (id: string): SavedQuery. SavedQuery).
scheduledReportmultipleyes A saved scheduled report. The multiple datatype consists of (id: string): ScheduledReport. See ScheduledReport.
scheduledReports[ScheduledReport]yes Saved scheduled reports. See ScheduledReport.
scheduledSearchmultipleyes A saved scheduled search. The multiple datatype consists of (id: string): ScheduledSearch. See ScheduledSearch).
scheduledSearches[ScheduledSearch]yes The scheduled searches to use with the search domain. See ScheduledSearch.
searchLimitedMslong  Limit in milliseconds to which searches should are limited.
starredFields[string]yes All fields in the search domain to mark with a star.
tags[string]yes All tags from all datasources.
users[User]yes Users who have access to the search domain. See User.
usersandgroupsmultipleyes Users and groups associated with the search domain. The multiple datatype consists of (search: string, skip: integer, limit: integer): UsersAndGroupsSearchResultSet. See UsersAndGroupsSearchResultSet.
usersV2multipleyes 

Search users with a given permission, whose email or name matches this search string.

The multiple datatype consists of (search: string, permissionFilter: Permission, skip: integer, limit: integer): Users.

See Permission and Users.

viewerQueryPrefixstringyes The query prefix prepended to each search in this domain.