PowerShell and REST API stream search

Hi there,

I’m attempting to search via the rest API using a basic invoke command through PowerShell. The issue i am having is that the following search via a specific stream is not returning anything. Doing the same search via the web interface returns results. Removing the stream from the script also returns results.

$Uri_Search = “https://lnx.server.net:9000/api/views/search/messages”
$Headers = @{ Accept = ‘text/csv’; ‘X-Requested-By’ = ‘GraylogScript’ }
$r = Invoke-RestMethod -Uri $Uri_Search -Credential $cred -Method Post -ContentType ‘application/json’ -Headers $Headers -Body ‘{
“streams”: [
“6105272292dfc35e022c94b3”
],
“query_string”: {
“type”: “elasticsearch”,
“query_string”: “*”
},
“timerange”: {
“type”: “relative”,
“range”: 300
}
}’
$r

A few posts have shown a CURL that can be used, and the following works well under a linux host, have also converted it to PowerShell and seems to work ok, but am not sure if its the right way to call via the Graylog REST API.

CURL
curl -u admin:xxxx -H ‘X-Requested-By: cli’ “https://lnx.server.net:9000/api/search/universal/relative?query=pf_ip_source_ip%3A8.8.8.8&rangetype=relative&relative=3000&sort=timestamp:desc&pretty=true” -H “Accept: application/json” -H “Content-Type: application/json”

The OS i have under Graylog is RHEL 8 and the current Graylog Version is v4.2.7+879e651.

Have read through the available docs and searched the forums for a solution, and am stuck atm. Seeking guidance.

Here is the PowerShell version of CURL. (Needed to post this separately as i am a new user and wont allow more than two links to be posted at the same time - sorry)

Powershell
$Uri_Search = “https://lnx.server.net:9000/api/search/universal/relative?query=pf_ip_source_ip%3A8.8.8.8&rangetype=relative&relative=300&sort=timestamp:desc&pretty=true”
$Headers = @{ Accept = ‘application/json’; ‘X-Requested-By’ = ‘GraylogScript’ }
$r = Invoke-RestMethod -Uri $Uri_Search -Credential $cred -Method Get -ContentType ‘application/json’ -Headers $Headers
$r | ConvertTo-Json

Hello && Welcome @rm8d

Have you checkout the API browser on the Graylog Node? That should give you a better idea what is needed for an API call if you haven’t already
As for the PowerShell, Have you tested by asking for a single result, using the
Invoke-RestMethod cmdlet? It will make the web request and then convert the JSON data returned by the API into a PowerShell object.

Example:

Invoke-RestMethod -Method GET -ContentType “application/json” -Uri “https://graylog.domain.com:9000/api/stream/1”

@gsmith, thanks for helping and pointing me in the right direction. I ended up using the one liner and found that i was using the wrong stream ID.

I found the correct ID by using [GET] /streams call under the API browser. All works now as expected.

Many thanks!

@gsmith, I do have another question. Using the Invoke method using ‘Post’ returns the following error when using the following API call [/api/views/search/messages].

• “Invoke-RestMethod : Unable to export as JSON - Enterprise license is missing or invalid!”

This only occurs when I use “‘application/json’” in the header, but works fine with “text/csv”. Any reason why, is this a licensed feature?

Hello,

I’m not sure, I would have to research that error. Did you check Graylog log file and/or maybe the device your executing the Invoke-RestMethod? See if you can find more information on why. To be honest.

Can you post the API your using?

Hi @gsmith, yeah, checked the logs, and turned on debug mode for a short period and did a tail on /var/log/graylog-server/server.log. Nothing coming up expect below.

Graylog1141×186 113 KB

The API call is below, same as the original post, just with the exception of the following header change “application/json” rather than “text/csv”.

------------------------- API Call ---------------------------
$Uri_Search = “https://lnx.server.net:9000/api/views/search/messages”
$Headers = @{ Accept = ‘application/json’; ‘X-Requested-By’ = ‘GraylogScript’ }
$r = Invoke-RestMethod -Uri $Uri_Search -Credential $cred -Method Post -ContentType ‘application/json’ -Headers $Headers -Body ‘{
“streams”: [
“6105272292dfc35e022c94b3”
],
“query_string”: {
“type”: “elasticsearch”,
“query_string”: “*”
},
“timerange”: {
“type”: “relative”,
“range”: 300
}
}’
$r
------------------------- API Call ---------------------------

So this API call give you an error?

Yeah that’s the one.

I should attached a screenshot of the error that is shown under the Windows ISE.

Graylog2919×100 22.8 KB

----------------------Displayed Error------------------------------------------------------------------
Invoke-RestMethod : Unable to export as JSON - Enterprise license is missing or invalid!
At line:5 char:6

• $r = Invoke-RestMethod -Uri $Uri_Search -Credential $cred -Method Pos …

•  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
  • FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
    ----------------------Displayed Error------------------------------------------------------------------

Hey @gsmith, any ideas or avenues to seek a solution? Is an Ent license required for this API feature use?

Hello @rm8d

My apologies, I wanted to do some testing in my lab but haven’t got a chance to get around to it yet.
Thanks for the reminder.

This as just a guess, If the API endpoint is acquainted with a enterprise version then yes.

Since this topic is closed can you make a new post with all the information needed?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.