Retrieving 'Quick Values' using the API

Graylog Central (peer support)
1

In the web UI once a search has been performed it’s then possible to expand any of the fields and select ‘Quick Values’ which lists the relative percentage of the field values found in the search. Is it possible to do the same using the API?

Thanks in advance

2

Hey @steven.cherry,

have a look at the terms/ entpoint in the API-Browser, that is what you want (this is actually the API-endpoint the Quick Value Widget is using :smiley:

Greeting - Phil

3

Hi @derPhlipsi

Thanks for the reply, I’ve already looked at the API browser but without success :slightly_frowning_face:

4

Oh, I see…
I guess it is under the Search/* endpoint, because that is where the request goes when a Quick Value Widget is created. I can’t check, my API-Browser is broken for some reason :confused:

Well, here is what I (once) found out about the terms/ endpoint by using the Firefox Network Console:

Query URL: https://graylog.example.de/api/search/universal/relative/terms?query=action%3Aallow&range=300&field=application
(Note: %3A is URL-encoded for colon)

This is the response:

HTTP/1.1 200 OK
Server: nginx/1.10.3
Date: Tue, 18 Jul 2017 15:55:22 GMT
Content-Type: application/json
Content-Length: 2412
Connection: keep-alive
X-Graylog-Node-ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Cache-Control: no-cache
X-Runtime-Microseconds: 1056418
Strict-Transport-Security: max-age=31536000

{
	"time": 1042,
	"terms": {
		"ssl": 16733,
                <redacted>
		"dns": 6222,
		"web-browsing": 3927,
		"apt-get": 6
	},
	"missing": 0,
	"other": 81,
	"total": 34440,
	"built_query": "{
		"from": 0,
		"query": {
			"bool": {
				"must": {
					"query_string": {
						"query": "action: allow",
						"allow_leading_wildcard": false
					}
				},
				"filter": {
					"bool": {
						"must": {
							"range": {
								"timestamp": {
									"from": "2017-07-1815: 50: 21.249",
									"to": "2017-07-1815: 55: 21.249",
									"include_lower": true,
									"include_upper": true
								}
							}
						}
					}
				}
			}
		},
		"aggregations": {
			"gl2_filter": {
				"filter": {
					"bool": {
						"must": {
							"range": {
								"timestamp": {
									"from": "2017-07-1815: 50: 21.249",
									"to": "2017-07-1815: 55: 21.249",
									"include_lower": true,
									"include_upper": true
								}
							}
						}
					}
				},
				"aggregations": {
					"gl2_terms": {
						"terms": {
							"field": "application",
							"size": 50,
							"order": {
								"_count": "desc"
							}
						}
					},
					"missing": {
						"missing": {
							"field": "application"
						}
					}
				}
			}
		}
	}"
}

This is basically how to use the terms endpoint. Just give it a query, a (time)range, and a field to aggregate on in the url and it will return you the terms object in the response-JSON. :slight_smile:

I hope this helped :slight_smile:

Greetings - Phil

5

Thanks Philipp, that worked for me :slight_smile:

1 Like
6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.