OK, let's do some real searching now. The command for that is filter, and the arguments that have to be specified in sequence, separated by slashes are:
-
name of the logspace
-
from (as a UNIX timestamp)
-
to (timestamp, too)
-
your search expression (optional, defaults to none)
-
offset
-
limit (these work just as they do in SQL)
-
At first let's find when was syslog-ng started or restarted in the box:
$ wget -q --no-check-certificate -O - --header "Cookie: AUTHENTICATION_TOKEN=$SESSID" "https://$SSB_IP/api/1/search/logspace/filter/local?from=0&to=9999999999&search_expression=starting up&offset=0&limit=10" | jq '.result'
[ { "tag": [], "dynamic": { ".SDATA.timeQuality.isSynced": "0" }, "msgid": "", "stamp": 1384943027, "recvd": 1384943027, "pri": 5, "facility": 5, "host": "rpcapitest", "message": "logindexd starting up; version='4.2.4ssb3.2.23'", "program": "index-center", "pid": "4408" }, { "tag": [], "dynamic": { ".SDATA.timeQuality.isSynced": "0" }, "msgid": "", "stamp": 1384943027, "recvd": 1384943027, "pri": 5, "facility": 5, "host": "rpcapitest", "message": "logindexd starting up; version='4.2.4ssb3.2.23'", "program": "index-local", "pid": "4407" }, [..... and a screenful of other results .....]
As you can see I set the timestamps to 0 and some huge value to make sure time filtering does not apply. We will try that in a sec, too.
-
But first, this doesn't seem right, it's not only messages from syslog-ng, the indexer processes are talking as well. Let's only print the program messages from the result set with jq to see clearer:
$ wget -q --no-check-certificate -O - --header "Cookie: AUTHENTICATION_TOKEN=$SESSID" "https://$SSB_IP/api/1/search/logspace/filter/local?from=0&to=9999999999&search_expression=starting up&offset=0&limit=10" | jq '.result[].program'
"index-center" "index-local" "syslog-ng" "index-local" "index-center" "index-local" "index-local" "index-local" "index-local" "index-local"
-
Let's alter our query to make sure we filter for the messages coming from syslog-ng only:
$ wget -q --no-check-certificate -O - --header "Cookie: AUTHENTICATION_TOKEN=$SESSID" "https://$SSB_IP/api/1/search/logspace/filter/local?from=0&to=9999999999&search_expression=starting up program:syslog-ng&offset=0&limit=10" | jq '.result'
[ { "tag": [], "dynamic": [], "msgid": "", "stamp": 1384943029, "recvd": 1384943029, "pri": 5, "facility": 5, "host": "ssb1", "message": "syslog-ng starting up; version='4.2.4ssb3.2.23', cfg-fingerprint='54d093e5b748276c497a141390614e079fff6cc0', cfg-nonce-ndx='0', cfg-signature='d46966469bf5934c1c7280375f349dcc2d7906dc'", "program": "syslog-ng", "pid": "4433" }
It's much better now, as you can see it is a pretty fresh install and syslog-ng has only been started once. The only thing we did is that we added program:syslog-ng to our query. You can use everything there that you could use on the UI. Note that wget actually helps a lot here: it is automatically URL-encoding our query string, making sure that special characters such as the space and the colon are passed properly to the API. In other environments, you might have to do that yourself.
TIP: To decrease the load on SSB when searching and receive your search results faster, note the following points.
- Use as small a time range as possible
- Prefer AND instead of OR
- Avoid unneeded wildcard characters, such as * and ?
- Use wildcard characters at the end of the tokens if possible