Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The Logs query API lets you run Kusto Query Language (KQL) queries against a Log Analytics workspace through a public REST endpoint. Retrieve or analyze log data programmatically for automation, custom reporting, or integration with other tools.
This article shows how to format GET and POST requests for the Logs query API endpoint, including direct REST examples and equivalent Azure CLI commands and Azure PowerShell cmdlets.
For the broader Azure Monitor API surface, see the Azure Monitor REST API index.
Public query endpoint format
The public Logs query API endpoint has this format:
https://api.loganalytics.azure.com/{apiVersion}/workspaces/{workspaceId}/query?[parameters]
apiVersionis the public query API version. Usev1.workspaceIdis the GUID of the Log Analytics workspace to query.[parameters]are query string values such asquery,timespan, andworkspaces.
Query parameters
Pass these parameters in the query string for GET requests or in the JSON body for POST requests.
| Parameter | Required | Description |
|---|---|---|
query |
Yes | The KQL query to run. |
timespan |
No | The time range for the query. Use an ISO 8601 duration (for example, PT12H for 12 hours) or a start/end pair separated by / (for example, 2024-01-01/2024-01-02). If omitted, the query runs against all available data. |
workspaces |
No | Additional workspace IDs to include in a cross-workspace query. |
GET request format
For GET requests, include request parameters in the query string. For example, to count AzureActivity events by Category over the last 12 hours, use the following request:
Use az rest to call the Logs query API directly.
subscriptionId="aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e"
workspaceId="myWorkspaceId"
query="AzureActivity | summarize count() by Category"
timespan="PT12H"
logsQueryApiEndpoint="https://api.loganalytics.io"
resourceId="$logsQueryApiEndpoint/v1/workspaces/$workspaceId/query"
az account set --subscription "$subscriptionId"
az rest \
--method get \
--uri "$resourceId?query=$query×pan=$timespan" \
--resource "$logsQueryApiEndpoint"
Alternatively, Azure CLI supports this operation using the az monitor log-analytics query command. It's part of the generally available log-analytics extension, which Azure CLI installs automatically.
subscriptionId="aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e"
workspaceId="myWorkspaceId"
query="AzureActivity | summarize count() by Category"
timespan="PT12H"
az account set --subscription "$subscriptionId"
az monitor log-analytics query \
--workspace "$workspaceId" \
--analytics-query "$query" \
--timespan "$timespan"
POST request format
For POST requests, send request parameters in the JSON body.
- The request body must be valid JSON.
- Include the
Content-Type: application/jsonheader. - Put request values such as
query,timespan, andworkspacesin the JSON body. - If you specify
timespanin both the query string and the body, the service uses the intersection of the two values.
Use az rest to call the Logs query API directly.
subscriptionId="aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e"
workspaceId="myWorkspaceId"
logsQueryApiEndpoint="https://api.loganalytics.io"
resourceId="$logsQueryApiEndpoint/v1/workspaces/$workspaceId/query"
payloadFile="./query-payload.json"
az account set --subscription "$subscriptionId"
az rest \
--method post \
--uri "$resourceId" \
--resource "$logsQueryApiEndpoint" \
--headers Content-Type=application/json \
--body @"$payloadFile"
Payload file (query-payload.json):
{
"query": "AzureActivity | summarize count() by Category",
"timespan": "PT12H"
}
Alternatively, use the az monitor log-analytics query command which abstracts the HTTP request format and works for both GET and POST query scenarios. See the GET request format section for a command sample.