If you want to generate CSV-Lists from saved searches you can do this via the API.
It is a call within Search/Message Section.
The API-Call for this is:
http(s)://yourgraylogserver:9000/api/views/search/messages/{searchId}
The method is POST and the response content type is text/csv. You can also use a application content type application/json for body parameters like:
{
execution_state (object, optional),
limit (integer, optional),
fields_in_order (array[string], optional)
}
As its requiriere a searchID you need to create a saved search with filteres and time range e.g first.
Important to know is that the ID which is used in the Webfrontend is not your ID you need. Saved searches have to unique IDs. The ID you need is called “search_id” .
Actually the only for me to find those ID is to use the API-Call of:
http(s)://yourgraylogserver:9000/api/search/saved?page=1&per_page=50&sort=title&order=asc
In the API-Browser:
http(s)://yourgraylogserver:9000/api/api-browser/global/index.html#!/Search/Saved/views_get_0
The result will be all saved searches. There you can find the search_id for example:
“views”: [
{
“id”: “5eb27a3888d5576c03468b5d”,
“type”: “SEARCH”,
“title”: “Your saved search”,
“summary”: “”,
“description”: “”,
“search_id": "5ef457cf95b9ceb86fd77fb7”,
“properties”: ,
“requires”: {},
“state”: {
“034cb8c1-144a-4feb-b880-56fc4b03560b”: {
“selected_fields”: null,
“static_message_list_id”: null,
…
Be aware of the fact that if you altered the saved search in any kind of way the search_id is changing too
Example
if you want to use it with curl you can use it like this:
curl -i -X POST -u user:$(cat .userpw) -H 'Content-Type: application/json' -H 'Accept: text/csv' -H 'X-Requested-By: cli' 'http(s)://yourgraylogserver:9000/api/views/search/messages/5ef457cf95b9ceb86fd77fb7' -d
'{
"fields_in_order": [ "messagefield1", "messagefield2"]
}'