Scroll API Reference
Objective
This guide presents reference information on the access log API call for collecting log and event records and planned configuration changes for specific parameters.
Current approach
Each access log API call retrieves a set of 500 records. Currently, you must set the "scroll" parameter to true. The response contains a "scroll ID". The "scroll ID" is passed to the subsequent access log scroll call to return the next set of logs.
Enforcement timeline
API calls to query access logs will require you to set the search_after parameter to true. Support for the scroll and search_after parameters is provided until August 2026. Afterwards, you must set the search_after parameter to true to continue collecting log records.
Example API call
You must set the "search_after" parameter to true to retrieve each subsequent set of 500 records and remove the scroll parameter if you are using this in your API request.
"aggs": { },
"end_time": "string",
"limit": 0,
"namespace": "string",
"query": "string",
"search_after": true,
"sort": "DESCENDING",The response returns a maximum of 500 records with two additional fields: "last_doc_id" and "last_timestamp".
"aggs": { },
"last_sort_values": {
"last_doc_id": 17777788899,
"last_timestamp": 63506060602Use the "last_doc_id" and "last_timestamp" fields in your next request to get an additional set of 500 records. Note that the parameter "last_doc_id parameter" is a string. Repeat the request until the response returns null in the “last_sort_values” parameter.
{
"aggs": {},
"end_time": "string",
"limit": 0,
"namespace": "string",
"query": "string",
"search_after": true,
"sort": "DESCENDING",
- "sort_values": {
"last_doc_id": “17777788899”,
"last_timestamp": 63506060602
},
"start_time": "string"
}