Saved searches API

Graylog Central (peer support)
1

Trying to automate “saved searches” using the API, as we have multiple Graylog clusters and will save a lot of time manually setting searches up for each Graylog instance.

Currently using version 3.3.4, it seems that the current version of the API has moved “/search/saved” to “/legacy/search/saved”, and also removed the POST method to create new saved searches, you can only GET or DELETE.

Instead, there is a new “/views/search” API which accepts the following data:
{
parameters (array[object], optional),
id (string, optional),
queries (array[object], optional),
owner (string, optional),
created_at (string, optional),
requires (object, optional)
}

But I don’t think this is the correct replacement API for creating saved searches. But using GET method will correctly list saved searches, so it’s confusing.

How can I use the API in current version to create saved searches?

Thanks

2
  1. /legacy/search/saved is for pre-3.2 view saved search
  2. /search/saved is current for 3.3
    https://docs.graylog.org/en/3.3/pages/upgrade/graylog-3.3.html#saved-searches-api
3

Thanks.
Is there any way to find out what the POST requirements are for “/search/saved” endpoint is?

Using the API browser (http://:9000/api/api-browser) I cannot see that the “search/saved” API call exists, only “legacy/search/saved” and that has no POST method explaining what is required.

4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.