Graylog 4.2 Search API and multiple streams

Graylog Central (peer support)
1

Description of your problem

No results returned by calling the API endpoint /api/search/universal/relative. I want to search in two streams.

/api/search/universal/relative?
from=360&rangetype=relative&sort=timestamp:desc&pretty=true&limit=500
&filter=streams%3A5f218679a45add539817c246%2C5f218612a45add539817c1cc
&query=test_client_ip%3A%28172.21.224.0%5C%2F19%29

Basically, I want to search for those two ranges in two fields on two streams. The query is working, if I remove one of the streams from the query:

/api/search/universal/relative?
from=360&rangetype=relative&sort=timestamp:desc&pretty=true&limit=500
&filter=streams%3A5f218679a45add539817c246
&query=test_client_ip%3A%28172.21.224.0%5C%2F19%29

Operating system information

  • Ubuntu

Package versions

  • Graylog 4.2
  • MongoDB 4.2
  • Elasticsearch 7.10.2
2

Can you separate streams with a comma?

/api/search/universal/relative?
from=360&rangetype=relative&sort=timestamp:desc&pretty=true&limit=500
&filter=streams%3A5f218679a45add539817c246,%2C5f218612a45add539817c1cc
&query=test_client_ip%3A%28172.21.224.0%5C%2F19%29

Totally guessing since I don’t use API but I saw something else in the forums about API that listed multiple parts of the query separated by comma…

3

It is an encoded comma… I will give it a try with an unencoded comma.

Update Not working unfortunately.

I’ve also tried the “new” API, which, unfortunately, only returns csv, but it seems, that the query string is a hard one:

{
  "query_string": {
    "type": "elasticsearch",
    "query_string": "test_client_ip:172.21.192.0/19"
  },
  "timerange": {
    "type": "relative",
    "range": 86400
  },
  "chunk_size": "500",
  "streams": [
    "5f218679a45add539817c246",
    "5f218612a45add539817c1cc"
  ],
  "limit": "500",
  "fields_in_order": [
    "client_ip",
"url"
  ]
}

I would prefer to return json, but as its also been marked as deprecated…I will do the csv to json convert in my application…

UPDATE2: the api is returning 200, but in graylog server log:

Caused by: org.graylog2.indexer.ElasticsearchException: ElasticsearchException[Failed to execute Search After request]; nested: ElasticsearchException[Elasticsearch exception [type=search_phase_execution_exception, reason=all shards failed]]; nested: ElasticsearchException[Elasticsearch exception [type=tok
en_mgr_error, reason=token_mgr_error: Lexical error at line 1, column 31.  Encountered: <EOF> after : "/16"]];

Seems to be a bug ^.^

Final body for searching in cidr ranges with the new csv api:

{
  "query_string": {
    "type": "elasticsearch",
    "query_string": "test_client_ip:(172.21.192.0\\/19)"
  },
  "timerange": {
    "type": "relative",
    "range": 86400
  },
  "chunk_size": "500",
  "streams": [
    "5f218679a45add539817c246",
    "5f218612a45add539817c1cc"
  ],
  "limit": "500",
  "fields_in_order": [
    "client_ip",
"url"
  ]
}

Here is the key, that I was forced to escape the slash with a backslash (similar to what you would use in the UI) and then escape backslash.

Hope it helps somebody…

2 Likes
4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.