Graylog 3.3.9 Search API

jgrammen_agility · December 16, 2020, 3:02pm

Hello
I am trying to use the new search api
‘/api/views/search/’
‘/api/views/search/sync’

but all my attemps are resulting in an error

{
“type”: “ApiError”,
“message”: “Cannot construct instance of org.graylog.plugins.views.search.Query$Builder, problem: Missing required properties: id\n at [Source: (org.glassfish.jersey.message.internal.ReaderInterceptorExecutor$UnCloseableInputStream); line: 28, column: 13] (through reference chain: org.graylog.plugins.views.search.AutoValue_Search$Builder["queries"])”
}

I am using the following json data

{
    "queries":
    [
        {
            "filter":
            {
                "filters":
                [
                
                    {
                        "id": "5fc8f016433116429ffae32e",
                        "type": "stream"
                    }
                ],
                "type": "or"
            },
            "query":
            {
                "query_string": "log_level: \"[ERROR]\"",
                "type": "elasticsearch"
            },
            "search_types": [],
            "timerange":
            {
                "type": "relative",
                "range": 1209600
            }
        }
    ],
    "parameters": []
}

It seems that I need to call a different api endpoint and retrieve an ID first?

Or do I just use the /legacy/search/relative endpoint? which seems less than ideal considering it is a legacy endpoint

iinuwa · December 17, 2020, 6:17pm

I fiddled with this a little bit. Here’s what I found to be the minimum parameters, so far. The search_types of the inner query may be able to be trimmed down, but just specifying search_types: [{"type":"messages"}] gave me a null pointer exception in the ElasticsearchHndler.

It seems like a bug that the id is supposedly optional according to the API definition, but you have to put a non-null, non-empty string there anyway.

{
  "queries": [
    {
      "id": "?",
      "timerange": {
          "type": "relative",
          "range": 300
       },
      "query": {
        "type": "elasticsearch",
        "query_string": "some_field:value"
      },
      "search_types": [{
            "timerange": null,
            "query": null,
            "streams": [],
            "id": "?",
            "name": null,
            "limit": 150,
            "offset": 0,
            "sort": [
              {
                "field": "timestamp",
                "order": "DESC"
              }
            ],
            "decorators": [],
            "type": "messages",
            "filter": null
          }]
    }
  ]
}

jgrammen_agility · December 17, 2020, 6:49pm

I have now successfully run a query. the important bit was the advice about “id”:"?". This seems like it might be a bug.
Thank you to iinuwa for providing the trick to make it work.

jgrammen_agility · December 17, 2020, 7:02pm

iinuwa has pointed out via the graylog irc channel that this workaround using a char as the value for the id field appears to potential be related to the following bug: https://github.com/Graylog2/graylog2-server/issues/6663

system · December 31, 2020, 7:02pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
API Search Example Graylog Central (peer support)	4	10574	March 30, 2020
Search messages API in Graylog 3.3 Development	1	1575	July 27, 2020
Graylog search view configuration Graylog Central (peer support)	8	1309	February 14, 2022
/api/search/universal/absolute 500 response on providing query in params field Graylog Central (peer support)	6	4471	July 26, 2018
Graylog 3.3. API - Events overview and search Graylog Central (peer support)	1	597	October 19, 2020

Graylog 3.3.9 Search API

Related Topics