Query Message ID with REST API

I am trying to query Log messages from Graylog via their REST API. The query I am currently using looks like the following:

header = {"X-Requested-By": "OS-AD", "Content-Type": "application/json", "Accept": "text/csv"}
query = {
    "query_string": {"type": "elasticsearch", "query_string": "*"},
    "streams": ["61406557e62e6244b6bbded5"],
    "timerange": {
        "type": "absolute",
                "from": start,
                "to": end
    }
}

It is implemented in python, that’s why the API call is split up into two different dictionaries, but I think you get the point.
From this I just get back a response in csv format (as expected so far) with three columns: “timestamp”, “source” and “message”. Although in Graylog itself I see some other parameters like level, facility_num and facility and a individual message id. I think the message id is also often referred to as a permalink.
It is also the most important one to me, since it would help me a lot with further processing of the logs, the other ones are a nice extra but I don’t really need them.
Is there any way to change my query so that it also returns me the other parameters, more specifically the message id?
I really couldn’t pull much information from the API docs, since they are quite cryptic for me…

Hello,
I’ll be honest, I have not played with APIs that much but what I do know on the messaged ID tip, I’m using this field gl2_message_id to get what I want.

1 Like

Hi,

Thanks a lot for your answer!
This is already very helpful, although I am not sure how I can query exact fields from the API.
For now I am just using the /view/search/messages endpoint, which (for some reason) only exports a few fields to csv.

Not sure if this will help ,but have you tried the API browser? This is under System/Nodes.

Perhaps that will give you more insight.

1 Like

Yes, I already took a look at that. It is also what basically everyone recommends, but I do not really understand the format of the API calls, which is maybe just due to some formatting mistakes on my side. At the moment I am also having Authorization problems, so I need to wait for the admin anyway, but thanks a lot for your help!

1 Like