Query Multiple Logs

cs1 · November 24, 2025, 1:23pm

Hi Team,

I'm using the below API to get Audit events.

POST -> https://us.rest.logs.insight.rapid7.com/query/logs

Payload:

{
"logs": [
"deed3b3c-8647-4974-86ed-dffa758dc478",
"d49da53f-0802-4155-a29a-c28b6f00fae7",
"4b7c4edf-06e8-4e4f-a261-a91b2f787305"
],
"leql": {
"during": {
"time_range": "last 5 days"
},
"statement": "where(( "action" = ACCOUNT_CREATED) AND target_user_domain="onedev.com" AND target_user="fs.press")"
}
}

But this does not return me any events, Every time I need to hit the href to see the status of progress and only when progress is 100, I can see events. that too only for few seconds.

But as per document "SIEM | © Rapid7" we see it should return the events from the first call itself.

Any help here is much appreciated.

david_smith1 · November 24, 2025, 4:01pm

This is expected behavior, you start a query, and if it has a href to continue or progress is <100 then you must poll the query every <20 seconds to keep the query alive

cs1 · November 25, 2025, 2:50pm

Do we have any other alternate option to review the events from a log other than using below endpoint

POST -> https://us.rest.logs.insight.rapid7.com/query/logs

david_smith1 · November 25, 2025, 3:18pm