JSON syntax for search log command

This search log command example uses JSON syntax, as explained in this topic.

Example query

The following example request performs a search of the logs. The request fetches one year of log data.
Lines Request
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
{  "start": 0,  "results": 100,  "outputTimeZone": "UTC",
  "filter": {
    "range": {
      "timestamp": { "from": "07/05/2014 12:02:47.000 +0530, \n12:02 PM",
        "to": "07/05/2015 12:02:47.083 +0530, 12:02 PM",
        "dateFormat": "dd/MM/yyyy HH:mm:ss.SSS Z"
      }   } },
  "logsources": [
    { "name": <datasource1>",
      "type": "tag"
    }  ],
  "query": "*","highlight": true, "sortKey": [ "-timestamp" ],
  "facets": { "histogram_facet": {
      "date_histogram": { "field": "timestamp", "interval": "week",
        "outputDateFormat": "yyyy-MM-dd'T'HH:mm:ssZ"
      } }},
  "allTermFacets": true, "allTermFacetsSize": 25, "genericConcepts": 100, "genericKeys": 100,
  "locale": {"language": "en", "country": "US","variant": ""
  }}

JSON fields

This table describes the JSON fields used in the sample query. You can modify these fields to customize the query for your use.
Lines Parameter Description
1 start Index of the log record from which to initiate the search.
1 results Number of records to fetch in a single search.
2 to 7 filter:range:timestamp:from Example of a filter using timestamp data, where the timestamp:from parameter indicates the start date and time for the filter.
2 to 7 filter:range:timestamp:to Example of a filter using timestamp data, where the timestamp:to parameter indicates the end date and time for the filter.
8 to 11 logsources An array containing details of the data source that contains the log. In this array you can opt to fetch log data from one data source of from more than one data source, as described in logsources parameter.
12 query Query formulated using SoLr query syntax. By default this query is *,*.

logsources parameter

You can customize the logsources parameter by specifying multiple data source entries. Each entry is specified as key:value pairs, as shown in the following syntax snippet:
   "logsources": [
    {“name”:”datasource1”,” type”:”tag”},
    {“name”:”datasource2”,” type”:”tag”},
    {“name”:”datasource3”,” type”:”tag”},
                 ],
For example, the following code snippet fetches data from two log data sources: /was_app/sysout and /was_app/error:
   "logsources": [
    {“name”:”/was_app/sysout”,” type”:”tag”},
    {“name”:”/was_app/error”,”type”:”tag”}
                 ],