I have some python code that uses the Graylog API to find a message count for every IP (field gl2_remote_ip)
I was using /api/search/universal/absolute/terms but that doesn’t seem to work after upgrading to Graylog 3.3. I found in the documentation a note that says this API has been depreciated and to use “views” instead.
I’ve struggled to find any information on using the views API to achieve the same result.
Does anyone have insight on how to get a aggregate message count per gl2_remote_ip via API in Graylog 3.3+?
Thank you for your reply. I did look at the API browser but the overall process is what confuses me.
It appears I’m supposed to create a view in the UI, then get some kind of ID that references the view, then use that ID in the API to get data from the view. I wasn’t able to create anything in the UI that ended up providing an usable ID in the API.
However I was able to solve my original issue, so for anyone who lands here from Google…
The depreciated API /api/search/universal/absolute/terms still works, but differently. My code was setting API parameters size, from, to, and field. Because I wanted to aggregate all messages in the time range, I let parameter query be an empty string, which causes an error in the newer version. Because I am aggregating on the field gl2_remote_ip, I set the query to be “_exists_:gl2_remote_ip” and the API is happy with that.
