Query HTTP API
REST endpoints for query execution, catalog listing, and Grafana compatibility
The query service exposes an HTTP API on port 9510 (configurable via QUERY_BIND).
Execute Query
Execute a KQL query and return results as JSON tables.
| Endpoint | POST /query |
| Content-Type | application/json |
Request
| Field | Type | Required | Description |
|---|---|---|---|
query | string | yes | KQL query to execute |
since | string | no | Start of time range (alias: from). ISO 8601 or relative expression like 1h |
until | string | no | End of time range (alias: to). ISO 8601 or relative expression |
timezone | string | no | Timezone for relative expressions (default: UTC) |
curl -X POST http://localhost:9510/query \
-H 'Content-Type: application/json' \
-d '{
"query": "my_table | take 10",
"since": "1h"
}'Response
{
"Tables": [
{
"name": "PrimaryResult",
"columns": [
{ "column_name": "timestamp", "column_type": "datetime" },
{ "column_name": "message", "column_type": "string" }
],
"rows": [
["2026-03-12T10:00:00Z", "hello world"]
]
},
{
"name": "@Warnings",
"columns": [...],
"rows": []
}
]
}The response always includes:
- PrimaryResult — the query result table
- @Warnings — execution warnings (empty if none)
- @ExtendedProperties — visualization metadata (only present when the query uses
render)
Query Plan
Return the logical plan for a query without executing it (s-expression format).
| Endpoint | POST /plan |
| Content-Type | application/json |
Request
Same request body as /query.
curl -X POST http://localhost:9510/plan \
-H 'Content-Type: application/json' \
-d '{"query": "my_table | count"}'Response
{
"plan_sexp": "(count (scan \"my_table\"))"
}Catalog
List all available tables and their schemas.
| Endpoint | GET /catalog |
curl http://localhost:9510/catalogResponse
{
"tables": [
{
"name": "my_table",
"schema": [
{ "name": "timestamp", "data_type": "datetime" },
{ "name": "message", "data_type": "string" }
]
}
]
}Datasources
Paginated listing of datasources (tables with metadata).
| Endpoint | GET /v1/datasources |
Query Parameters
| Parameter | Type | Description |
|---|---|---|
limit | integer | Maximum number of items to return |
after | string | Cursor for forward pagination |
before | string | Cursor for backward pagination |
curl 'http://localhost:9510/v1/datasources?limit=10'Kusto REST Endpoint
Grafana-compatible endpoint that accepts the Kusto query format.
| Endpoint | POST /v1/rest/query |
| Content-Type | application/json |
Request
| Field | Type | Required | Description |
|---|---|---|---|
csl | string | yes | KQL query string |
curl -X POST http://localhost:9510/v1/rest/query \
-H 'Content-Type: application/json' \
-d '{"csl": "my_table | take 10"}'Response
Returns tables in Microsoft Kusto format with TableName, Columns (with ColumnName, DataType, ColumnType), and Rows.
Timeline Query
Transform a query into a timeline aggregation query that groups events by severity over time.
| Endpoint | POST /timeline-query |
| Content-Type | application/json |
Request
| Field | Type | Required | Description |
|---|---|---|---|
query | string | yes | Original KQL query to transform |
Error Handling
All endpoints return errors in RFC 7807 problem details format:
{
"type": "https://api.bzrk.dev/problems/query-error",
"message": "Unknown table 'foo'",
"code": "UnknownTable",
"error_details": {}
}| Status Code | Meaning |
|---|---|
| 200 | Success |
| 400 | Query syntax or analysis error |
| 500 | Internal server error |