Limiting fields in api call (graylog 4.2)

Graylog Central (peer support)
,
1

I want to run a nightly report and get stuff from the graylog api for that. My query works, but I get all 50 or so fields for these kind of messages, which is waaaay to much data. I only need the timestamp and one other field.

Any idea how I can select only the fields i need?

{
    "queries": [
        {
            "timerange": {
                "type": "relative",
                "from": 60
            },
            "filter": null,
            "query": {
                "type": "elasticsearch",
                "query_string": "winlogbeat_event_code:4624 AND winlogbeat_event_action:Logon"
            },
            "search_types": [
                {
                    "limit": 1,
                    "offset": 0,
                    "sort": [
                        {
                            "field": "timestamp",
                            "order": "DESC"
                        }
                    ],
                    "decorators": [],
                    "type": "messages",
                    "filter": null
                }
            ]
        }
    ],
    "parameters": []
}

But this returns ALL fields…

Running graylog 4.2 on ubuntu (for now, upgrade to 5.2 is in process)

2

In 5.2 there is a new api called simple search that will let you select the fields you want returned, and is overall very easy to use.

3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.