validateQuery()

API Stability Preview

The validateQuery() GraphQL query is used to check that a query compiles. If not, it can returns error messages and other diagnostic information.

Related to this query field is the analyzeQuery(). It can validate saved queries and will return any errors or warnings in a standard search context. It will also suggest an alert to use with the query.

For more information on saved queries, see the Saved Searches (User Functions) reference page where saved queries are discussed. Also, look at the Search Data documentation page as it relates to recent queries and saving queries.

Syntax

graphql

validateQuery(
     queryString: string!,
     isLive: boolean,
     version: LanguageVersionEnum!,
     arguments: [QueryArgument]
   ): QueryValidationResult!

For the input, you'll need to provide the query itself, whether the query is live, the language version (e.g., legacy), and any query arguments — which are given in name and value pairs.

For the results, you can know if the query is valid. If it's not, you can get diagnostic information, including any messages and types (e.g., an error, warning, or hint). See the Returned Datatype for more.

Example

Below is an example of how this query field might be used:

Raw

graphql

query {
  validateQuery(queryString:"host=localhost",
                version: legacy, isLive: false)
  {isValid, diagnostics{severity, message, code}}
}

Mac OS or Linux (curl)

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "query {
  validateQuery(queryString:\"host=localhost\",
                version: legacy, isLive: false)
  {isValid, diagnostics{severity, message, code}}
}"
}
EOF

Mac OS or Linux (curl) One-line

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "query {
  validateQuery(queryString:\"host=localhost\",
                version: legacy, isLive: false)
  {isValid, diagnostics{severity, message, code}}
}"
}
EOF

Windows Cmd and curl

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "query { ^
  validateQuery(queryString:\"host=localhost\", ^
                version: legacy, isLive: false) ^
  {isValid, diagnostics{severity, message, code}} ^
}" ^
} '

Windows Powershell and curl

powershell

curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "query {
  validateQuery(queryString:\"host=localhost\",
                version: legacy, isLive: false)
  {isValid, diagnostics{severity, message, code}}
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"

Perl

perl

#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $query = "query {
  validateQuery(queryString:\"host=localhost\",
                version: legacy, isLive: false)
  {isValid, diagnostics{severity, message, code}}
}";
$query =~ s/\n/ /g;
my $json = sprintf('{"query" : "%s"}',$query);
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";

Python

python

#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "query {
  validateQuery(queryString:\"host=localhost\",
                version: legacy, isLive: false)
  {isValid, diagnostics{severity, message, code}}
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)

Node.js

javascript

const https = require('https');

const data = JSON.stringify(
    {"query" : "query {
  validateQuery(queryString:\"host=localhost\",
                version: legacy, isLive: false)
  {isValid, diagnostics{severity, message, code}}
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL',
  path: 'graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

Given Datatypes

There are two special given datatypes. The first is used to provide the language version that would be used for executing the query to be validated. Your choices are listed in the table below:

Table: LanguageVersionEnum

Parameter	Type	Stability	Description
Some arguments may be required, as indicated in the Required column. For return datatypes, this indicates that you must specify which fields you want returned in the results.
Table last updated: Oct 29, 2025
federated1	boolean	`Long-Term`	Indicates if Federated version of the LogScale query is used.
filteralert	boolean	`Deprecated`	This has no effect and is no longer used internally. It will be removed at the earliest in version 1.189.
legacy	boolean	`Long-Term`	Whether legacy LogScale query language is used.
xdr1	boolean	`Long-Term`	Whether XDR1 is used.
xdrdetects1	boolean	`Long-Term`	Whether XDR Detects 1 query language is used.

The other datatype is for providing any query arguments, which are given in name and value pairs — as you can see in the table below:

Table: QueryArgument

Parameter	Type	Required	Stability	Description
Some arguments may be required, as indicated in the Required column. For return datatypes, this indicates that you must specify which fields you want returned in the results.
Table last updated: Sep 19, 2024
name	string	yes	`Preview`	The name of the query argument.
value	string	yes	`Preview`	The value fo the query argument.

Returned Datatype

With the returned datatype, you can know if the query is valid. If it's not, you can drill down diagnostic information, which can include a message and the severity level (e.g., an error, warning, or hint). The parameters are listed in the table below, but you'll have to click on the datatype it includes to get more details:

Table: QueryValidationResult

Parameter	Type	Required	Stability	Description
Some arguments may be required, as indicated in the Required column. For return datatypes, this indicates that you must specify which fields you want returned in the results.
Table last updated: Oct 2, 2024
diagnostics	[QueryDiagnostic]	yes	`Preview`	A diagnostic message from query validation. See QueryDiagnostic. This is a preview for internal testing and subject to change.
isValid	boolean	yes	`Preview`	Whether query is valid. For internal testing.

Versions of this Page

GraphQL Queries

GraphQL API Stability

GraphQL Mutations

GraphQL Datatypes

validateQuery()

Syntax

Example

Given Datatypes

Returned Datatype

Enter search term