search

Starts a new search.

Resource URL

Use the following URL when making search requests.

https://<hostname>:<port>/server/search

Note: If your query string includes special characters, use standard URI encoding. In that case, add the parameter "uri_encoded": true.

Parameters

This request accepts the following parameters.

Name

Type

Required

Default

Description

search_session_id

Number

Yes

  

The Search Session ID to be used in future search related request operations. This must be an increasing positive integer. (For example, you could use the server time in milliseconds.)

user_session_id

String

Yes

  

The User Session ID generated by the login API.

discover_fields

Boolean

  

false

It indicates that the search should try to discover fields in the events found. Will be considered when field_summary=true. Otherwise, ignored.

end_time

String

  

 

A string defining the end date and time of the search. See date/time format for the format. Please note that dynamic dates can be used.

If end_time is provided, start_time needs to be present as well.

summary_fields

Array of String

  

["Event Time",
"Device", "Logger",
"Raw Message", "deviceVendor", "deviceProduct", "deviceVersion", "deviceEventClassId", "name"]

The list of fields (display name, not CEF) in a array to be used to calculate summary when field_summary is true.

field_summary

Boolean

  

false

Indicates to use the field summary.

local_search

Boolean

  

true

It indicates the search is local only, and does not include peers. Set to false if you want to include peers in the search.

query

String

  

"" (null string)

The search query string to filter/process the events.

No control characters are allowed in the query parameter.

The escape character for double quotes (“) and backslashes (\) in the query is the backslash.

  • To include a double quote in your query, use \”.

  • To include a backslash in your query, use \\.

    If you query include aggregate operators such as sort, tail or head, refer to chart_data.

search_type

String

  

interactive

The search type. Only the default value, interactive, is supported. Interactive searches send a query to the server and return the query output.

start_time

String

  

2 hours

A string defining the beginning date and time of the search. See date/time format for the format. Please note that dynamic dates can be used.

If start_time is provided, end_time needs to be present as well.

timeout

Number

  

120000

The number of milliseconds to keep the search after processing has stopped.

Note: This timeout is only two minutes. If you need to keep the search longer, increase this number.

search_time

string

 

"received_time"

There are 2 options: "event_time" and "received_time"

It indicates the field date used for searching events.

Response

This request returns the following status code or one of the status codes listed in http status codes.

Status Code

Description

409

Failed to create a new search.

This request returns the following values.

Attribute

Description

sessionId

Server session ID. In Logger, you can use this session ID to identify and stop the search on Running Tasks page.

For information about returned error messages, see Error Messages.