Perform search (Stream)
post
/serviceapi/querylanguage.export
Perform a search by using the ExportRequest object. The only mandatory body parameter is queryString. To learn more about how queries work, see Get Started With Log Analytics.
This API will output the query results as a stream as they become available.
Request
Supported Media Types
- application/json
Header Parameters
-
X-REMOTE-USER: string
User name
-
X-USER-IDENTITY-DOMAIN-NAME: string
Tenant ID
Query to be exported
Root Schema : ExportRequest
Type:
Show Source
object-
includeColumns(optional):
boolean
Default Value:
falseInclude columns in responseExample:true -
localize(optional):
boolean
Default Value:
falseLocalize results, including header columns, LOV and timestamp values. -
maxTotalCount(optional):
integer(int32)
Maximum number of results retrieved from data source. Note a maximum value will be enforced; if the export results can be streamed, the maximum will be 50000000, otherwise 10000; that is, if not streamed, actualMaxTotalCountUsed = Math.min(maxTotalCount, 10000). Export will incrementally stream results depending on the queryString. Some commands including head/tail are not compatible with streaming result delivery and therefore enforce a reduced limit on overall maxtotalcount. no sort command or sort by id, e.g. ' | sort id ' - is streaming compatible sort by time and id, e.g. ' | sort -time, id ' - is streaming compatible all other cases, e.g. ' | sort -time, id, mtgtguid ' - is not streaming compatible due to the additional sort fieldExample:
500 -
outputMode(optional):
string
Allowed Values:
[ "csv" ]Specifies the format for the returned results. Possible values include: csv (comma delimited).Example:csv -
queryString:
string
Query to perform. To learn more about how queries work, see Get Started With Log Analytics.Example:
* | stats count by 'Log Source' -
queryTimeout(optional):
integer(int32)
Amount of time, in seconds, allowed for a query to complete. If this time expires before the query is complete, any partial results will be returned.
-
subSystem(optional):
string
Allowed Values:
[ "LOG", "SECURITY" ]Each subsystem has its own namespace for fields it contains. This means two fields in different subsystems can have the same name; for example, log.status and target.status refer to two different fields. The subsystem parameter identifies the default subsystem to use when validating/querying a field that is not explicity qualifed by its subsystem. -
targetFilters(optional):
object TargetFilters
-
timeFilter(optional):
object TimeFilter
Discriminator:
type
Nested Schema : TargetFilters
Type:
Show Source
object-
filters(optional):
array filters
-
match(optional):
string
Allowed Values:
[ "ALL", "ANY" ]
Nested Schema : TimeFilter
Type:
objectDiscriminator:
typeNested Schema : TargetFilter
Type:
Show Source
object-
name(optional):
string
Allowed Values:
[ "ENTITY_NAME", "ME_ID", "MEMBER_OF", "USED_BY", "USES", "SAVED_SEARCH" ] -
operator(optional):
string
Allowed Values:
[ "IS_EQUAL" ] -
values(optional):
array values
Response
Supported Media Types
- application/octet-stream
200 Response
Operation succeeded
Root Schema : OutputStream
Type:
object400 Response
Bad request. See response body for explanation.
Root Schema : InternalErrorResponse
Type:
Show Source
object-
messages(optional):
array messages
-
type(optional):
string
Allowed Values:
[ "PARSERERROR", "INVALIDPARAMETER", "UNSUPPORTEDSUBSYSTEM", "UNSUPPORTEDFILTER", "UNSUPPORTEDVERSION", "INVALIDJOBID", "INVALIDQUERYID", "FORBIDDEN", "INTERNALERROR", "JSONERROR", "INTERRUPTEDERROR", "EXECUTIONERROR", "COMPILATIONERROR", "SERVICEAVAILABILITYERROR" ] -
violations(optional):
array violations
403 Response
Forbidden. User does not have required privileges.
500 Response
Internal server error. See response body for explanation.
Root Schema : InternalErrorResponse
Type:
Show Source
object-
messages(optional):
array messages
-
type(optional):
string
Allowed Values:
[ "PARSERERROR", "INVALIDPARAMETER", "UNSUPPORTEDSUBSYSTEM", "UNSUPPORTEDFILTER", "UNSUPPORTEDVERSION", "INVALIDJOBID", "INVALIDQUERYID", "FORBIDDEN", "INTERNALERROR", "JSONERROR", "INTERRUPTEDERROR", "EXECUTIONERROR", "COMPILATIONERROR", "SERVICEAVAILABILITYERROR" ] -
violations(optional):
array violations
Examples
This cURL call will return all logs for all Database Instance and Cluster Database targets whose name contains the substring TEST:
- Create a new JSON file called testQuery.json and copy the following:
{ "queryString": "'target type' in ('Database Instance', 'Cluster Database') target like '%TEST%' | fields target, 'target type', message" - Run the following cURL command:
curl -u "OMC_USERNAME" -X POST -H "Content-Type:application/json" "https://"OMC_URL"/serviceapi/querylanguage/{version}/export" -d "@testQuery.json"
Example of Response
The following shows an example of the response body.
{
"columns":[{"name":"target", "displayName":"Target", "valueType":"string", ...},
{"name":"target_type", "displayName":"Target Type", "valueType":"string", ...},
{"name":"msg", "displayName":"Msg", "valueType":"string", ...}],
"results":[["TEST_DB1", "oracle_database", "msg1"],
["TEST_DB2", "oracle_database", "msg2"],
["TEST_RAC1", "rac_database", "msg3"],
...]
}