Graylog4 rest api search export

after upgrade to 4.0.2 we cannot use rest api search export:
rest api call ‘api/search/universal/keyword/export?query=%22sshd%22&keyword=%22yesterday%22&batch_size=500&fields=timestamp’ get 0 records back

if we use the call ‘api/search/universal/keyword?query=“sshd”&keyword=“yesterday”&batch_size=500&fields=timestamp%2Csource%2Cmessage’ we are see the messages but in json format

was the export disabled in 4.0.2 or is it a bug?

Update: if we set limit=-1 then we get records but this field is not necessary according to documentation

we testet export with limit=-1 and found that the messages will be not limited with keyword.

/search/universal/(absolute|relative|keyword)/ and export was marked as deprecated in graylog 3.3, it should work in 4.0, but not correctly, as it’s not used in frontend anymore.

For export use newer api using views:
searchId = ID of an existing Search
searchTypeId = ID of a Message Table contained in the Search
JSON request:

curl '' -H 'Accept: text/csv' -H 'Authorization: Basic BASE64' -H 'Content-Type: application/json' -H 'X-Requested-By: cli' --data-raw '{"execution_state":{"parameter_bindings":{}},"fields_in_order":["timestamp","source","message"],"limit":500}'


search via API is different in 4.0 and the documentation lacks behind …

The “best” way currently is to use the export API:

## Search via Export API
curl -X "POST" "https://graylog/api/views/search/messages" \
     -H 'X-Requested-By: Mamamia' \
     -H 'Content-Type: application/json' \
     -H 'Accept: text/csv' \
     -u 'USER:PASSWORD' \
     -d $'{
  "streams": [
  "query_string": {
    "type": "elasticsearch",
    "query_string": "section:boulder"
  "timerange": {
    "type": "relative",
    "range": 30000

You might want to adjust the streams you want/can search in and the query_string - an your Graylog URL and username/passwort or token.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.