JOIN GRAYLOG FOR OUR

ANNUAL CONFERENCE

Thursday,
October 21, 2021
10am-5pm CT
REGISTER NOW

Graylog4 rest api search export

after upgrade to 4.0.2 we cannot use rest api search export:
rest api call ‘api/search/universal/keyword/export?query=%22sshd%22&keyword=%22yesterday%22&batch_size=500&fields=timestamp’ get 0 records back

if we use the call ‘api/search/universal/keyword?query=“sshd”&keyword=“yesterday”&batch_size=500&fields=timestamp%2Csource%2Cmessage’ we are see the messages but in json format

was the export disabled in 4.0.2 or is it a bug?

Update: if we set limit=-1 then we get records but this field is not necessary according to documentation

we testet export with limit=-1 and found that the messages will be not limited with keyword.

/search/universal/(absolute|relative|keyword)/ and export was marked as deprecated in graylog 3.3, it should work in 4.0, but not correctly, as it’s not used in frontend anymore.

https://docs.graylog.org/en/4.0/pages/upgrade/graylog-3.3.html#deprecating-legacy-aggregation-api-endpoints
https://docs.graylog.org/en/4.0/pages/upgrade/graylog-3.3.html#csv-export-api

For export use newer api using views:
/views/search/messages/{searchId}/{searchTypeId}
searchId = ID of an existing Search
searchTypeId = ID of a Message Table contained in the Search
JSON request:
{"execution_state":{"parameter_bindings":{}},"fields_in_order":["timestamp","source","message"],"limit":500}

curl 'http://172.28.128.15/api/views/search/messages/602bcfd261d1ac12c9cfd616/968419c1-c1c0-4955-be99-8a306d662f2a' -H 'Accept: text/csv' -H 'Authorization: Basic BASE64' -H 'Content-Type: application/json' -H 'X-Requested-By: cli' --data-raw '{"execution_state":{"parameter_bindings":{}},"fields_in_order":["timestamp","source","message"],"limit":500}'

he

search via API is different in 4.0 and the documentation lacks behind …

The “best” way currently is to use the export API:

## Search via Export API
curl -X "POST" "https://graylog/api/views/search/messages" \
     -H 'X-Requested-By: Mamamia' \
     -H 'Content-Type: application/json' \
     -H 'Accept: text/csv' \
     -u 'USER:PASSWORD' \
     -d $'{
  "streams": [
    "5e569003c793163fea1b3373"
  ],
  "query_string": {
    "type": "elasticsearch",
    "query_string": "section:boulder"
  },
  "timerange": {
    "type": "relative",
    "range": 30000
  }
}'

You might want to adjust the streams you want/can search in and the query_string - an your Graylog URL and username/passwort or token.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.