Try to use this curl command:
curl -u admin:password -H 'X-Requested-By: cli' "http://GRAYLOG_IP_OR_HOSTNAME/api/search/universal/relative?query=*&range=3600&limit=100&sort=timestamp:desc&pretty=true" -H "Accept: application/json" -H "Content-Type: application/json"
Where:
query=* - replace * with your desired string
range=3600 - replace 3600 with time range (in seconds)
limit=100 - replace 100 with number of returned results
sort=timestamp:desc - replace timestamp:desc with field you want to sort