Skip to main content
MoleSignal exposes a single query endpoint backed by DataFusion. You can run full SQL — including joins, CTEs, and window functions — or a PromQL subset for metrics, all against the same store.

The query endpoint

POST /api/v1/query
Authorization: Bearer <jwt>
Content-Type: application/json

Request body

FieldTypeRequiredNotes
org_idstringYour tenant id (from login).
languagestringsql or promql.
statementstringThe query text.
time_rangeobject{ "start": <us>, "end": <us> } — microseconds since epoch.
streamobject{ "name": "app", "stream_type": "logs" }. stream_typelogs/metrics/traces/enrichment.
limitintegerRow cap.

Response

The response carries rows, columns, scanned_rows, took_ms, and cache_hit.
Send Accept: application/x-ndjson to stream results row-by-row. Streaming bypasses the query_result cache.

SQL

curl -X POST http://localhost:5080/api/v1/query \
  -H "authorization: Bearer $MS_JWT" \
  -H 'content-type: application/json' \
  -d "{\"org_id\":\"$MS_ORG\",\"language\":\"sql\",
       \"statement\":\"SELECT level, count(*) FROM app WHERE _timestamp > 0 GROUP BY level\",
       \"time_range\":{\"start\":0,\"end\":2000000000000000},
       \"stream\":{\"name\":\"app\",\"stream_type\":\"logs\"}}"
Because logs, metrics, and traces live in the same store, you can join across signals in one query — for example, join error logs to their spans on trace_id: 
SELECT l.msg, t.duration_ms
FROM app AS l
JOIN spans AS t ON l.trace_id = t.trace_id
WHERE l.level = 'error'

PromQL

Set language: "promql" to run a PromQL subset over metric streams. Supported today:
  • rate, increase
  • sum, avg, min, max, count — with by / without
  • histogram_quantile
{
  "org_id": "<org>",
  "language": "promql",
  "statement": "histogram_quantile(0.95, sum by (le) (rate(http_request_duration_seconds_bucket[5m])))",
  "time_range": { "start": 0, "end": 2000000000000000 }
}
PromQL coverage is a growing subset, not the full language. Check the in-repo docs/promql_subset.md for the current support matrix.

Search around an event

To pull the N events immediately before and after a given one (log context view), use POST /api/v1/query/search_around with event_timestamp_us, stream, stream_type, and optional before / after counts (default 50 each).

Caching

Queries flow through a 3-level cache — file_meta, parquet_meta, and query_result — plus a parquet disk cache enabled by default (./data/cache/parquet, 10 GB LRU). The cache_hit field in the response tells you whether the result came from cache.