花了很长时间才弄清楚这一点,所以这里是寻找它的其他人的解决方案。解决方案在 PHP 中实现:
$url = 'https://host.td/api/search/universal/absolute'
. '?query=' . urlencode('field:value') //query which you would also perform on UI
. '&from=' . urlencode(Carbon::createFromTimestamp(0)) // min timestamp so we get all logs
. '&to=' . urlencode(Carbon::createFromTimestamp(NumberUtils::MAX_32_BIT_INT)) // max timestamp so we get all logs
. '&limit=' . $this->limit //how many results do we want?
. '&fields=' . urlencode('field1,field2,field3') //which fields do we want?
. '&filter=' . urlencode('streams:<stream_id>') //OPTIONAL: only search in this stream
. '&sort=' . urlencode('field:desc') //sort result
. '&decorate=false'; //dont know whats that
$res = (new Client())->get($url, [
// generate a token on graylog UI;
// we use basic auth, username=the token; password: hard coded string 'token'
'auth' => ['<token_value>', 'token'],
'headers' => ['Accept' => 'application/json'] //we want a json result
]);
$json = \GuzzleHttp\json_decode($res->getBody());
奖励:如果您想按您提供的时间戳排序,请不要将其称为时间戳,因为在这种情况下使用的是 graylogs 时间戳,而不是您的时间戳。我最终在我存储的每个字段上都使用了一个前缀。