Graylog endpoints don't work when provide timestamp parameters

Hello there,
I’m using two restful api endpoint

• GET /search/universal/absolute

• GET /search/universal/relative

in both api endpoints, we have parameters that we can use to specify the timerange of logs that we want to get. In the first endpoint, we have to and from and in the second api endpoint we have range parameter.

I’m sending the parameters in the correct format, but I get all logs back. Can someone help me with? or am i missing something? I’m trying to get logs for a single day. No matter what i send, i get all logs.

The data I’m sending

• from 2023-09-15T08:39:41.553Z
• to 2023-08-15T08:39:41.553Z
• range 44600

What version of graylog are you running?

Can you share your API query you are sending? You can redact any info you need but that will help. What is the range parameter? I don’t see that as a valid parameter.

This is what i’m sending

image1357×823 48.1 KB

and i still get response from outside timerange

image738×553 29.8 KB

Same goes for the other endpoint, the range parameter doesn’t work.

image1208×838 37.9 KB

Your screenshot shows from/to as 9/25 - 9/26. But in your description you stated 9/25 - 8/15, which seems to match what you are getting back. Can you double-check?

As Drew said, to properly diagnose please paste the specific queries that are being sent.

No matter what timestamp I send in to and from parameters, the response is the same. I don’t logs within that specific timerange. I get every log.

Please capture the request in your browser dev tools pane and paste that here. We need more data to help you.

I tried to replicate your issue but i am unable to. The response body does properly reflect the from and to query parameters.

Can you please show me the query that you’re sending? Are there any other settings that i should be familiar with because i have tried multiple times and I’ll show you again. Using graylog 4.2. Plus attaching one more demo of of the issue along with the request.

image908×852 34.2 KB

Here’s the request from dev tools

$session = New-Object Microsoft.PowerShell.Commands.WebRequestSession
$session.UserAgent = “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.76”
$session.Cookies.Add((New-Object System.Net.Cookie(“_ga”, “GA1.3.1564897771.1683887983”, “/”, “.wearenova.co.uk”)))
$session.Cookies.Add((New-Object System.Net.Cookie(“_ga_9WETL9Y6YH”, “GS1.3.1695289129.6.0.1695289129.0.0.0”, “/”, “.wearenova.co.uk”)))
Invoke-WebRequest -UseBasicParsing -Uri “https://graylog.wearenova.co.uk/api/search/universal/absolute?query=Project%3Abitbaby&from=2023-09-26T12%3A30%3A05.123Z&to=2023-09-27T12%3A30%3A05.123Z&batch_size=500&fields=Project” -WebSession $session
-Headers @{
“Accept”=“text/csv”
“Accept-Encoding”=“gzip, deflate, br”
“Accept-Language”=“en-US,en;q=0.9”
“Authorization”=“Basic c2FpbS5zdWFsZWg6Tm92QDM1NzkhIw==”
“Referer”=“Graylog REST API browser”
“Sec-Fetch-Dest”=“empty”
“Sec-Fetch-Mode”=“cors”
“Sec-Fetch-Site”=“same-origin”
“X-Requested-By”=“Graylog API Browser”
“sec-ch-ua”=“"Chromium”;v="116", "Not)A;Brand";v="24", "Microsoft Edge";v="116""
“sec-ch-ua-mobile”=“?0”
“sec-ch-ua-platform”=“"Windows”"
}

The creation timestamp of a message is distinct from the ingestion timestamp (though you can override ingestion timestamp via extractor or pipeline rule). Search is based on ingestion time. Maybe that explains the discrepancy.

I did some further testing and tested specifically with Graylog 4.2.

With graylog 4.2 i was able to replicate the issue as you describe it. I found a github issue Legacy/Search/Absolute offset parameter not effect any more · Issue #14571 · Graylog2/graylog2-server · GitHub that describes the behavior.

The issue above has been fixed in Graylog 5.1 : https://github.com/Graylog2/graylog2-server/blob/master/changelog/5.1.0-rc.1/pr-14575.toml

Hope that helps.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.