Limiting fields in api call (graylog 4.2)

AxisNL · March 20, 2024, 2:49pm

I want to run a nightly report and get stuff from the graylog api for that. My query works, but I get all 50 or so fields for these kind of messages, which is waaaay to much data. I only need the timestamp and one other field.

Any idea how I can select only the fields i need?

{
    "queries": [
        {
            "timerange": {
                "type": "relative",
                "from": 60
            },
            "filter": null,
            "query": {
                "type": "elasticsearch",
                "query_string": "winlogbeat_event_code:4624 AND winlogbeat_event_action:Logon"
            },
            "search_types": [
                {
                    "limit": 1,
                    "offset": 0,
                    "sort": [
                        {
                            "field": "timestamp",
                            "order": "DESC"
                        }
                    ],
                    "decorators": [],
                    "type": "messages",
                    "filter": null
                }
            ]
        }
    ],
    "parameters": []
}

But this returns ALL fields…

Running graylog 4.2 on ubuntu (for now, upgrade to 5.2 is in process)

Joel_Duffield · March 21, 2024, 2:27am

In 5.2 there is a new api called simple search that will let you select the fields you want returned, and is overall very easy to use.

Topic		Replies	Views
API Query all Fields Graylog Central (peer support)	2	919	December 26, 2023
Basic stuff isn't working for me. How do I query into my messages and just return select fields and sort them Graylog Central (peer support)	10	89	May 12, 2025
API Formatting returning specific fields Documentation Campfire	1	519	June 15, 2023
Limiting the Search-Result Graylog Central (peer support)	5	1275	May 17, 2021
No fields to show Graylog Central (peer support)	15	2544	July 27, 2021

Limiting fields in api call (graylog 4.2)

Related topics