Inconsistent Data Retrieval from Graylog API Endpoint 'api/search/universal/relative'

basitnawaz · November 3, 2023, 9:07am

I’m using Graylog version 5, and I’m encountering intermittent issues while fetching data from the ‘api/search/universal/relative’ API endpoint. Despite multiple attempts, the data retrieval appears to be inconsistent, and there seems to be no apparent pattern to this behavior. I would appreciate any insights or potential solutions regarding this matter.

patrickmann · November 6, 2023, 9:16am

Please provide some more details

the API request
returned data (redacted as necessary)
expected data
how is the result inconsistent?

basitnawaz · November 6, 2023, 9:55am

When I say inconsistent, I mean that the API sometimes returns data, and sometimes it returns empty results with a status of 200. empty data means nothing in the response just a white screen.

please take a look at the below screenshots.

Response with Data (https://snipboard.io/cLKOQa.jpg)
Empty Response with Status 200 (https://snipboard.io/CZQArl.jpg)

patrickmann · November 6, 2023, 10:33am

Could you also paste the full HTTP request? Thx.

basitnawaz · November 6, 2023, 11:01am

Yes, here is the HTTP request

https://graylog.fusiontech.global/api/search/universal/relative?query=Project:swished+AND+Environment:production+AND+level:<6&batch_size=500&fields=Project,level,message&range=86400&limit=5000

patrickmann · November 6, 2023, 12:12pm

Have you set the accept header? There are 2 versions of this API: CSV and JSON. If you don’t set the header it’s uncertain which one you get.

My other hunch is that it is related to the chunked CSV response. Do you see the issue when selecting JSON response type?

basitnawaz · November 8, 2023, 6:13am

Hi, thank you for pointing me in the right direction. I just modified the accept header from ‘text/csv’ to ‘application/json,’ and it appears to be functioning properly now. However, the total records that the API returns are different from what I see on the Graylog dashboard. For instance, if a project has 230 log counts on the Graylog dashboard, the API returns twice that amount, resulting in 460 log counts.

patrickmann · November 8, 2023, 9:11am

Please capture the search request that is generated in the UI via browser devtools.
Should become evident then what is going on.

basitnawaz · November 8, 2023, 9:20am

please take a look at this

patrickmann · November 14, 2023, 7:44am

The Graylog UI communicates with the server exclusively via the public APIs. Since the results are different, there must be a difference in the API call from the UI and the API call you are submitting.
Capture the API call from the UI via the browser tools. Compare that to your manually generated API request.

system · November 28, 2023, 7:45am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Different reaction on API call with the same version of Graylog Graylog Central (peer support) curl	2	348	October 10, 2023
Graylog Absolute search API Graylog Central (peer support)	2	587	August 15, 2019
Export Api Not working Graylog Central (peer support) automation	10	265	January 26, 2024
Error when searching with API Graylog Central (peer support)	3	1622	December 4, 2020
Graylog search API returning json or csv Graylog Central (peer support)	1	537	November 12, 2019

Inconsistent Data Retrieval from Graylog API Endpoint 'api/search/universal/relative'

Related topics