3

Had a rough time to figure that out, so here is the solution for everybody else searching for it. Solution is implemented in PHP:

$url = 'https://host.td/api/search/universal/absolute'
       . '?query=' . urlencode('field:value')                 //query which you would also perform on UI
       . '&from=' . urlencode(Carbon::createFromTimestamp(0)) // min timestamp so we get all logs
       . '&to=' . urlencode(Carbon::createFromTimestamp(NumberUtils::MAX_32_BIT_INT)) // max timestamp so we get all logs
       . '&limit=' . $this->limit                             //how many results do we want?
       . '&fields=' . urlencode('field1,field2,field3')       //which fields do we want?
       . '&filter=' . urlencode('streams:<stream_id>')        //OPTIONAL: only search in this stream
       . '&sort=' . urlencode('field:desc')                   //sort result
       . '&decorate=false';                                   //dont know whats that
$res = (new Client())->get($url, [
    // generate a token on graylog UI;
    // we use basic auth, username=the token; password: hard coded string 'token'
    'auth'    => ['<token_value>', 'token'],  
    'headers' => ['Accept' => 'application/json']             //we want a json result
]);

$json = \GuzzleHttp\json_decode($res->getBody());

Bonus: If you want to sort by a timestamp you provided, dont call it timestamp since in this case graylogs timestamp is used, not yours. I ended up using a prefix on every field I am storing.

Klaus
  • 911
  • 1
  • 9
  • 11
  • I had a similar problem and used Python to access the API. A simple script can be found [here](https://gist.github.com/prathje/862cc96b531e0dcf904f5ea71f7812a1). – P. Rathje Mar 20 '21 at 16:57
  • here is another example using shell script : https://dev.to/boly38/hourly-errors-from-graylog-to-slack-24ga – boly38 Mar 21 '21 at 12:14

0 Answers0