如何从API上的灰日志中检索日志

Question

如何使用PHP从灰色日志服务器搜索日志？

假设灰日志服务器是https://host.td/api/search/universal/absolute

Answer 1

这个解决方案是用PHP实现的：

$url = 'https://host.td/api/search/universal/absolute'
   . '?query=' . urlencode('field:value')                 //query which you would also perform on UI
   . '&from=' . urlencode(Carbon::createFromTimestamp(0)) // min timestamp so we get all logs
   . '&to=' . urlencode(Carbon::createFromTimestamp(NumberUtils::MAX_32_BIT_INT)) // max timestamp so we get all logs
   . '&limit=' . $this->limit                             //how many results do we want?
   . '&fields=' . urlencode('field1,field2,field3')       //which fields do we want?
   . '&filter=' . urlencode('streams:<stream_id>')        //OPTIONAL: only search in this stream
   . '&sort=' . urlencode('field:desc')                   //sort result
   . '&decorate=false';                                   //decorate parameter


$res = (new Client())->get($url, [
    // generate a token on graylog UI;
    // we use basic auth, username=the token; password: hard coded string 'token'
'auth'    => ['<token_value>', 'token'],
'headers' => ['Accept' => 'application/json']             //we want a json result
]);

$json = \GuzzleHttp\json_decode($res->getBody());

如果您想按所提供的时间戳进行排序，请不要将其称为时间戳，因为在本例中使用的是graylog的时间戳，而不是您的时间戳。最后，我在存储的每个字段上都使用了前缀。