Perform search (JSON)
post
/serviceapi/querylanguage.query
Perform a search by using the ExportRequest object. The only mandatory body parameter is queryString. To learn more about how queries work, see Get Started With Log Analytics.
This API will output the query results as a JSON.
Request
Supported Media Types
- application/json
Header Parameters
-
X-REMOTE-USER: string
User name
-
X-USER-IDENTITY-DOMAIN-NAME: string
Tenant ID
Query to be executed.
Root Schema : QueryRequest
Type:
Show Source
object-
includeColumns(optional):
boolean
Default Value:
falseInclude columns in responseExample:true -
includeFields(optional):
boolean
Default Value:
falseInclude fields in responseExample:true -
includeTotalCount(optional):
boolean
Default Value:
falseInclude the total number of results from the query. Note, this value will always be equal to or less than maxTotalCount.Example:false -
limit(optional):
integer(int32)
Maximum number of results to return in this request. Note a limit=-1 returns all results from offset onwards up to maxtotalCount.Example:
500 -
maxTotalCount(optional):
integer(int32)
Maximum number of results to count. Note a maximum of 2001 will be enforced; that is, actualMaxTotalCountUsed = Math.min(maxTotalCount, 2001).Example:
500 -
offset(optional):
integer(int32)
Index of first result to return for this request.Example:
10 -
outputMode(optional):
string
Allowed Values:
[ "jsonRows" ]Specifies the format for the returned results. Possible values include: jsonRows. -
queryPriority(optional):
integer(int32)
-
queryString:
string
Query to perform. To learn more about how queries work, see Get Started With Log Analytics.Example:
* | stats count by 'Log Source' -
queryTimeout(optional):
integer(int32)
Amount of time, in seconds, allowed for a query to complete. If this time expires before the query is complete, any partial results will be returned.
-
subSystem(optional):
string
Allowed Values:
[ "LOG", "SECURITY" ]Each subsystem has its own namespace for fields it contains. This means two fields in different subsystems can have the same name; for example, log.status and target.status refer to two different fields. The subsystem parameter identifies the default subsystem to use when validating/querying a field that is not explicity qualifed by its subsystem. -
targetFilters(optional):
object TargetFilters
-
timeFilter(optional):
object TimeFilter
Discriminator:
type
Nested Schema : TargetFilters
Type:
Show Source
object-
filters(optional):
array filters
-
match(optional):
string
Allowed Values:
[ "ALL", "ANY" ]
Nested Schema : TimeFilter
Type:
objectDiscriminator:
typeNested Schema : TargetFilter
Type:
Show Source
object-
name(optional):
string
Allowed Values:
[ "ENTITY_NAME", "ME_ID", "MEMBER_OF", "USED_BY", "USES", "SAVED_SEARCH" ] -
operator(optional):
string
Allowed Values:
[ "IS_EQUAL" ] -
values(optional):
array values
Response
Supported Media Types
- application/json
200 Response
Operation succeeded
Root Schema : QueryResultResponse
Type:
Show Source
object-
columns(optional):
array columns
-
fields(optional):
array fields
-
incrementalSearchTime(optional):
integer(int64)
-
insights(optional):
object Insights
-
nextOffset(optional):
integer(int32)
-
partialResultReason(optional):
string
-
partialResults(optional):
boolean
Default Value:
false -
responseTime(optional):
integer(int64)
-
results(optional):
array results
-
totalCount(optional):
integer(int64)
-
totalMatchedCount(optional):
integer(int64)
Nested Schema : columns
Type:
Show Source
array-
Array of:
object ColumnDescriptor
Discriminator:
type
Nested Schema : fields
Type:
Show Source
array-
Array of:
object ColumnDescriptor
Discriminator:
type
Nested Schema : ColumnDescriptor
Type:
objectDiscriminator:
Show Source
type-
displayName(optional):
string
-
evaluable(optional):
boolean
Default Value:
false -
fullDisplayName(optional):
string
-
fullInternalName(optional):
string
-
groupable(optional):
boolean
Default Value:
false -
hasValues(optional):
boolean
Default Value:
false -
internalName(optional):
string
-
multiValued(optional):
boolean
Default Value:
false -
originalDisplayName(optional):
string
-
subsystem(optional):
string
Allowed Values:
[ "LOG", "SECURITY" ] -
values(optional):
array values
-
valueType(optional):
string
Allowed Values:
[ "BOOLEAN", "STRING", "DOUBLE", "FLOAT", "LONG", "INTEGER", "TIMESTAMP", "FACET" ]
Nested Schema : internalValue
Type:
objectNested Schema : items
Type:
object400 Response
Bad request. See response body for explanation.
Root Schema : InternalErrorResponse
Type:
Show Source
object-
messages(optional):
array messages
-
type(optional):
string
Allowed Values:
[ "PARSERERROR", "INVALIDPARAMETER", "UNSUPPORTEDSUBSYSTEM", "UNSUPPORTEDFILTER", "UNSUPPORTEDVERSION", "INVALIDJOBID", "INVALIDQUERYID", "FORBIDDEN", "INTERNALERROR", "JSONERROR", "INTERRUPTEDERROR", "EXECUTIONERROR", "COMPILATIONERROR", "SERVICEAVAILABILITYERROR" ] -
violations(optional):
array violations
403 Response
Forbidden. User does not have required privileges.
500 Response
Internal server error. See response body for explanation.
Root Schema : InternalErrorResponse
Type:
Show Source
object-
messages(optional):
array messages
-
type(optional):
string
Allowed Values:
[ "PARSERERROR", "INVALIDPARAMETER", "UNSUPPORTEDSUBSYSTEM", "UNSUPPORTEDFILTER", "UNSUPPORTEDVERSION", "INVALIDJOBID", "INVALIDQUERYID", "FORBIDDEN", "INTERNALERROR", "JSONERROR", "INTERRUPTEDERROR", "EXECUTIONERROR", "COMPILATIONERROR", "SERVICEAVAILABILITYERROR" ] -
violations(optional):
array violations