Alternative View for Sources API Endpoint after 4.0

1. Describe your incident:
We have been using the Sources API endpoint for monitoring if a System has been sending Messages to the Graylog Server. Since the API endpoint has been removed in Graylog 4.0 the check naturally does not give us any data anymore.

2. Describe your environment:

  • OS Information:
    Ubuntu 20.04
  • Package Version:
  • Service logs, configurations, and environment variables:

3. What steps have you already taken to try and solve the problem?
I Have tried to recreate the View that the API has provided, which is somewhat difficult since I actually don’t know what that API actually displayed. From Looking at the actual Check on our Monitoring System it seems to have been something like “Source, Number of Messages”.

I have created a saved search in the GUI that creates an Aggregation grouped by source and Uses the Metric Count.
This correctly gives me the Messages and the Message count.

I can see the Search in the API but an API request only gives me the “Meta Data” of the search not the actual search results.

4. How can the community help?

Maybe I’m also approaching this the wrong way.
In the end I basically want to get a machine readable output which gives me all the sources and the corrosponding message count during the last x timeframe so we can monitor if a source regularly sends logs.

Does anybody already have a replacement Workflow for the Sources API endpoint and is willing to share it?

Or can anybody explain to me how i can get the data I want.

RTFM would be fine as long as someone can point me to the right Manual Page, which I seem to not be able to find myself.

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

For very important logs I create an alert for each source. If the number of logs is below one for a certain timeframe the alert triggers, and includes the system it is monitoring.
For less important logs I check for the cardinality of sources on the stream. If one is missing I’ll have an alert and a manual investigation, which one is missing.
This is no machine-readable API though. :-/


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.