Search
The Search APIs help you search through the log data collected in EventLog Analyzer. Search queries can be formed using the Metadata APIs.
End Points
Synchronous Search
The synchronous Search API allows you to perform real-time searches against EventLog Analyzer. You can create a search request using a set of relevant metadata (log sources, log types, and log fields).
The server executes the request and responds with the results directly. If more results are available, the server returns a cursor. You can continue requesting subsequent result sets using the cursor until all search hits are consumed and no further cursor is returned.
OAuth Scope : search.READ
Arguments
query
string
(Required)
The search query, which can be formed using the log fields API.
⚠️ Note: This parameter should not be included if the cursor parameter is used.
⚠️ Note: This parameter should not be included if the cursor parameter is used.
start_time
string
(Required)
Start time for the search range, in ISO 8601 date-time format.
The value must be ≥ 1970-01-01T00:00:00Z. Time zone offsets are supported.
The value must be ≥ 1970-01-01T00:00:00Z. Time zone offsets are supported.
end_time
string
(Required)
End time for the search range, in ISO 8601 date-time format.
The value must be ≥ 1970-01-01T00:00:00Z. Time zone offsets are supported.
The value must be ≥ 1970-01-01T00:00:00Z. Time zone offsets are supported.
log_source_ids
array
List of host IDs to search. Can be obtained via the log sources API.
Maximum: 100 host IDs
Maximum: 100 host IDs
log_types
array
List of log types to search. Can be obtained via the log formats API.
Maximum: 100 log types
Maximum: 100 log types
log_source_group_ids
array
List of device group IDs to search. Can be obtained via the log sources API.
Maximum: 100 group IDs
Maximum: 100 group IDs
cursor
string
Cursor value received from the previous request.
⚠️ Note: The cursor remains valid for 5 minutes if unused.
⚠️ Note: The cursor remains valid for 5 minutes if unused.
response_type
string
Specifies whether the response should be based on the client or server.
Default value: server
Accepted values: client, server
Default value: server
Accepted values: client, server
parameters_data='{"field1":"value1","field2":"value2"}';
headers_data = Map();
headers_data.put("Authorization", "Bearer REPLACE_BEARER_TOKEN");
response = invokeUrl
[
url: "http://localhost:8400/api/v2/search"
type: POST
headers: headers_data
content-type: application/json
parameters: parameters_data
connection: <connection_name>
];
info response;
OkHttpClient client = new OkHttpClient();
MediaType mediaType = MediaType.parse("application/json");
RequestBody body = RequestBody.create(mediaType, "{\"field1\":\"value1\",\"field2\":\"value2\"}");
Request request = new Request.Builder()
.url("http://localhost:8400/api/v2/search")
.post(body)
.addHeader("Authorization", "Bearer REPLACE_BEARER_TOKEN")
.addHeader("content-type", "application/json")
.build();
Response response = client.newCall(request).execute();
const options = {
method: 'POST',
headers: {
Authorization: 'Bearer REPLACE_BEARER_TOKEN',
'content-type': 'application/json'
},
body: '{"field1":"value1","field2":"value2"}'
};
fetch('http://localhost:8400/api/v2/search', options)
.then(response => response.json())
.then(response => console.log(response))
.catch(err => console.error(err));
import http.client
conn = http.client.HTTPConnection("localhost:8400")
payload = "{\"field1\":\"value1\",\"field2\":\"value2\"}"
headers = {
'Authorization': "Bearer REPLACE_BEARER_TOKEN",
'content-type': "application/json"
}
conn.request("POST", "/api/v2/search", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))
const http = require("http");
const options = {
"method": "POST",
"hostname": "localhost",
"port": "8400",
"path": "/api/v2/search",
"headers": {
"Authorization": "Bearer REPLACE_BEARER_TOKEN",
"content-type": "application/json"
}
};
const req = http.request(options, function (res) {
const chunks = [];
res.on("data", function (chunk) {
chunks.push(chunk);
});
res.on("end", function () {
const body = Buffer.concat(chunks);
console.log(body.toString());
});
});
req.write(JSON.stringify({field1: 'value1', field2: 'value2'}));
req.end();
curl --request POST \
--url http://localhost:8400/api/v2/search \
--header 'Authorization: Bearer REPLACE_BEARER_TOKEN' \
--header 'content-type: application/json' \
--data '{"field1":"value1","field2":"value2"}'
{
"query": " ( ( severity = \"success\" AND type = \"Security\" ) )",
"start_time": "2025-03-27T14:30:00Z",
"end_time": "2025-03-28T14:30:00Z",
"log_source_ids": [
30000000251315,
6000000286357
],
"log_types": [
"Windows",
"Unix"
],
"log_source_group_ids": [
3000000012292,
6000000013071
],
"cursor": "DnF1ZXJ5VGhlbkZldGNoAgAAAAAAAAAVFnRhaFduNnItUzJTaVlsMHpZd3BhZlEAAAAAAAAAFhZ0YWhXbjZyLVMyU2lZbDB6WXdwYWZR",
"response_type": "client"
}
{
"data": {
"hits": [
{
"Type": "System",
"Device": "pooja-17763",
"OS Category": "WKS",
"LogType": "Windows",
"DisplayName": "pooja-17763",
"Severity": "warning",
"Time": "1747735585000",
"Event ID": "8019",
"UUID": "logs_ela_1747679400_1747679400###AZbtKkPRWTroqF6w8kNU",
"Source": "Microsoft-Windows-DNS-Client"
}
]
},
"meta": {
"cursor": "DnF1ZXJ5VGhlbkZldGNoAgAAAAAAAAAVFnRhaFduNnItUzJTaVlsMHpZd3BhZlEAAAAAAAAAFhZ0YWhXbjZyLVMyU2lZbDB6WXdwYWZR",
"total_items": 6098,
"items_in_current_page": 1000
}
}
{
"error": {
"code": "07001113",
"detail": "REQUIRED PARAMS ARE MISSING"
}
}
{
"code": "070011101",
"title": "Unauthorized",
"detail": "Invalid or missing AuthToken. Check whether the AuthToken is not revoked or expired."
}
Asynchronous Search
The Asynchronous Search API allows you to run search requests in the background. You can track progress and retrieve results as they become available.
To start, send a search request with the required metadata (log sources, log types, and fields) along with asynchronous parameters. The server responds with a request ID and processes the search in a background thread
You can:
1.Check the search status using the jobs endpoint.
2.Retrieve results with the jobs/results endpoint once the search is complete.
3.Use the jobs.READ scope to access status and results.
⚠️ Note: Search results remain available in EventLog Analyzer for 24 hours before automatic deletion.
OAuth Scope : search.READ
Arguments
query
string
(Required)
The search query, which can be formed using the log fields API.
⚠️ Note: This parameter should not be included if the cursor parameter is used.
⚠️ Note: This parameter should not be included if the cursor parameter is used.
start_time
string
(Required)
Start time for the search range, in ISO 8601 date-time format.
The value must be ≥ 1970-01-01T00:00:00Z. Time zone offsets are supported.
The value must be ≥ 1970-01-01T00:00:00Z. Time zone offsets are supported.
end_time
string
(Required)
End time for the search range, in ISO 8601 date-time format.
The value must be ≥ 1970-01-01T00:00:00Z. Time zone offsets are supported.
The value must be ≥ 1970-01-01T00:00:00Z. Time zone offsets are supported.
log_source_ids
array
List of host IDs to search. Can be obtained via the log sources API.
Maximum: 100 host IDs
Maximum: 100 host IDs
log_types
array
List of log types to search. Can be obtained via the log formats API.
Maximum: 100 log types
Maximum: 100 log types
log_source_group_ids
array
List of device group IDs to search. Can be obtained via the log sources API.
Maximum: 100 group IDs
Maximum: 100 group IDs
parameters_data='{"field1":"value1","field2":"value2"}';
headers_data = Map();
headers_data.put("Authorization", "Bearer REPLACE_BEARER_TOKEN");
response = invokeUrl
[
url: "http://localhost:8400/api/v2/search/async"
type: POST
headers: headers_data
content-type: application/json
parameters: parameters_data
connection: <connection_name>
];
info response;
OkHttpClient client = new OkHttpClient();
MediaType mediaType = MediaType.parse("application/json");
RequestBody body = RequestBody.create(mediaType, "{\"field1\":\"value1\",\"field2\":\"value2\"}");
Request request = new Request.Builder()
.url("http://localhost:8400/api/v2/search/async")
.post(body)
.addHeader("Authorization", "Bearer REPLACE_BEARER_TOKEN")
.addHeader("content-type", "application/json")
.build();
Response response = client.newCall(request).execute();
const options = {
method: 'POST',
headers: {
Authorization: 'Bearer REPLACE_BEARER_TOKEN',
'content-type': 'application/json'
},
body: '{"field1":"value1","field2":"value2"}'
};
fetch('http://localhost:8400/api/v2/search/async', options)
.then(response => response.json())
.then(response => console.log(response))
.catch(err => console.error(err));
import http.client
conn = http.client.HTTPConnection("localhost:8400")
payload = "{\"field1\":\"value1\",\"field2\":\"value2\"}"
headers = {
'Authorization': "Bearer REPLACE_BEARER_TOKEN",
'content-type': "application/json"
}
conn.request("POST", "/api/v2/search/async", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))
const http = require("http");
const options = {
"method": "POST",
"hostname": "localhost",
"port": "8400",
"path": "/api/v2/search/async",
"headers": {
"Authorization": "Bearer REPLACE_BEARER_TOKEN",
"content-type": "application/json"
}
};
const req = http.request(options, function (res) {
const chunks = [];
res.on("data", function (chunk) {
chunks.push(chunk);
});
res.on("end", function () {
const body = Buffer.concat(chunks);
console.log(body.toString());
});
});
req.write(JSON.stringify({field1: 'value1', field2: 'value2'}));
req.end();
curl --request POST \
--url http://localhost:8400/api/v2/search/async \
--header 'Authorization: Bearer REPLACE_BEARER_TOKEN' \
--header 'content-type: application/json' \
--data '{"field1":"value1","field2":"value2"}'
{
"query": " ( ( severity = \"success\" AND type = \"Security\" ) )",
"start_time": "2025-03-27T14:30:00Z",
"end_time": "2025-03-28T14:30:00Z",
"log_source_ids": [
30000000251315,
6000000286357
],
"log_types": [
"Windows",
"Unix"
],
"log_source_group_ids": [
3000000012292,
6000000013071
]
}
{
"data": {
"message": "Request submitted",
"request_id": "AZZdDPgmgJ1NHmsO6_PZ"
}
}
{
"code": "070011101",
"title": "Unauthorized",
"detail": "Invalid or missing AuthToken. Check whether the AuthToken is not revoked or expired."
}
{
"error": {
"code": "07001113",
"detail": "REQUIRED PARAMS ARE MISSING"
}
}