Explore documentation
  1. Welcome to Logs 👋
  2. Quick start guide
  3. Logs
    1. Programming languages
    2. Cloud platforms
    3. Web servers & Load balancers
    4. Operating systems
    5. Databases & Message queues
    6. Containers & Clusters
    7. HTTP REST API
  4. Metrics
    1. Vector (Recommended)
    2. Prometheus (push)
    3. Prometheus (scrape)
    4. Datadog Agent
    5. OpenTelemetry
  5. Log Forwarding
    1. Vector (Recommended)
    2. Fluent Bit
    3. Logstash
    4. Fluentd
    5. Filebeat
    6. Syslog
  6. Dashboards
    1. Getting started
    2. Converting logs to metrics
    3. SQL queries
    4. Simplified PromQL
    5. Alerts
    6. How do we bill for metrics?
    7. Transforming with JavaScript
  7. Using Logs
    1. Querying data in Better Stack
    2. String + JSON format
    3. Formatting logs
    4. Live tail query language
    5. Explore logs with SQL
    6. AWS S3-compatible archive
  8. API
    1. Get started with Logs API
    2. Sources API
    3. Metrics API
    4. Query API
      1. Live tail GET
      2. Explore logs GET
      3. Dashboards GET

Explore logs Query API

Run Explore logs queries with an HTTP API.

Follow redirects

Make sure to follow redirects when using this API.
For example, use the -L option with curl.

parse error on value "required" (IDENTIFIER)

base_url = "https://logs.betterstack.com"
path = "/api/v2/query/explore-logs"
method = "GET"

[[query_param]]
name = "source_ids"
description = "Numberic value; Comma-separated list of sources you want to query."required = true
type = "string"

[[query_param]]
name = "query"
description = "Filter logs with a SQL query. Use the same Log SQL you would in Explore logs. Read more about [Explore logs with SQL](/docs/logs/using-logtail/explore-logs/)."
required = true
type = "string"

[[query_param]]
name = "from"
description = "Start of time range for the SQL query (ISO8601-formatted string: 2022-07-19T13:32:56+0000). Default: 30 minutes before `to`. If `to` is not specified then 30 minutes ago."
required = false
type = "string"

[[query_param]]
name = "to"
description = "End of time range for the SQL query (ISO8601-formatted string: 2022-07-19T13:32:56+0000).   Default: 30 minutes after `from`. If `from` is not specified then current time."
required = false
type = "string"

[[header]]
name = "Authorization"
description = "Bearer `$TOKEN`"
required = true
type = "string"
200

Returned rows in JSONEachRow format

Response body

{"time":"2024-07-01 05:50:00","message":"Hello, world!"}
{"time":"2024-06-30 00:00:00","message":"Hello, you!"}
{"time":"2024-06-30 00:00:00","message":"Hello, me!"}

Example cURL

Example
curl -L --request GET \
  --header "Authorization: Bearer $TOKEN" \
  --data-urlencode "source_ids=$SOURCE_ID" \
  --data-urlencode "query=SELECT {{time}} as time, JSONExtract(json, 'level', 'Nullable(String)') AS level FROM {{source}} WHERE time BETWEEN {{start_time}} AND {{end_time}}" \
  https://logs.betterstack.com/api/v2/query/explore-logs

Adjusting the response format

By default rows are returned in the ClickHouse JSONEachRow format, you can change this by adding a FORMAT clause to you query.

See the ClickHouse documentation for more information.

Previous article

Live tail Query API

Next article

Dashboards Query API