Followup to: https://community.graylog.org/t/alternative-view-for-sources-api-endpoint-after-4-0/27007?u=richt
I have now found a way to somewhat recreate the Sources API Endpoint:
I created a saved Search with the Timerange of the last 30 Days, with an aggregation grouped by Source and a metric with the fuction count on the “messages” field as a data table.
You can get the search ID of the used search via the /views/{ID} API endpoint for the saved Search and then you can get the json-Parameters for the actual Search via the /views/search/{ID} API Endpoint.
You can then run a Search using the /views/search/sync Endpoint and the JSON-Parameters of the saved search.
Now we get a Machine readable output of the aggregation which we can parse.
We still have to probably heavily rewrite the Check in our Monitoring solution to get it to Parese the new Output but this is a good start at least we know how to get to the data we need.
Does somebody still have a 3.X instance and can give an example of the output of the actual old sources API Endpoint?
The JSON-Parameters for a last 5 Minutes search will look something like this:
{ "queries": [ { "timerange": { "type": "relative", "from": 300 }, "filter": null, "query": { "type": "elasticsearch", "query_string": "" }, "search_types": [ { "timerange": null, "query": null, "streams": [ ], "name": "chart", "series": [ { "type": "count", "id": "Messages", "field": "source" } ], "sort": [], "rollup": true, "type": "pivot", "row_groups": [ { "type": "values", "field": "source", "limit": 999999999 } ], "column_groups": [], "filter": null } ] } ], "parameters": [] }
, unfortuanlty it been awhile since I use GL 3.x.x, Ill keep an eye out.