Export Api Not working

Graylog Central (peer support)
1

I am currently in the process of integrating Graylog APIs into our system, and while I have successfully received data in JSON format through the API, we are encountering difficulties with the export API.

We have integrated these API endpoints :

  • /search/universal/absolute/

  • /search/universal/relative/

Facing issues with the export resource APIs:

  • /search/universal/absolute/export

  • /search/universal/relative/export

Our secondary concern lies in the discrepancy between the results obtained through the API and those visible on the Graylog dashboard. The same query and timestamp yield different results, with the API returning comparatively fewer records than what is displayed on the Graylog dashboard.

We have thoroughly reviewed the documentation and implemented the API according to the specified guidelines. However, we are unable to pinpoint the issue causing this disparity. Your expertise and guidance in resolving this matter would be greatly appreciated.

Additionally, we would like to explore the following questions:

  1. Potential reasons for the variance in results between the API and the Graylog dashboard for the same query and timestamp?
  2. Are there any specific considerations or settings we may have overlooked during the API integration that could lead to this discrepancy?
  3. Is there a recommended approach or best practice for troubleshooting such inconsistencies between API results and the dashboard?
  4. Possible reasons why export API is not working while the same fetches data in json format?

Server is running CentOs.

2

What exactly are the issues you are having with the export APIs?

Regarding the discrepancies: Have you checked which requests are being emitted by the UI (browser devtools)? Are these actually identical to your API calls?

3

Screenshot 2023-12-28 at 11.43.39 AM(1)
Screenshot 2023-12-28 at 11.43.39 AM(1)1780×1518 356 KB

Here i have used the same query and timestamp , but export api is not returning a csv file. This same issue is present with the relative api as well.

As for the discrepancy with the data in normal api calls i have experienced issues where data of around 8-9 hours was missing while using the absolute api.

4

That is puzzling. What does GET /search/universal/absolute with content type text/csv return? Your screenshot shows the GET request with JSON result.

Are you able to successfully export from the search UI?

5

yeah sorry for the messed up screenshot as it was not letting me upload 2 files.
Yeah from dashboard i am able to fetch the results and export to csv.

With the other api where the content type is text/csv , im getting no content as well. attaching ss

Screenshot 2023-12-28 at 2.51.03 PM
Screenshot 2023-12-28 at 2.51.03 PM1328×1518 267 KB

6

I have no explanation yet. Can you enable debug logging and paste the log messages generated by the CSV Get request? Maybe that’ll provide a clue.

7

can you guide me around how to do that ?Thanks.

8

Turns out we completely refactored this bit of code for version 5.1. Which version of GL are you running?

Consider using the new export API views/export instead of legacy/search/absolute. As the name says, it is a legacy API that might be deprecated eventually.

On a side note: you can easily toggle log levels under the System/Logging menu item.

9

Currently we are using 4.xx version , would upgrade and try the other views as you mentioned. Thanks. Would update here once tested.

10

hi can you tell me instead of using legacy/search/absolute and legacy/search/relative, Which other api i can use to fetch log data as json ? as in current 4.xx one i can not see any other apis which facilitate this requirement.

11

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.