Graylog Search Query Builder especially useful for working with Graylog REST API.
Graylog Query Builder is available at the Central Maven Repository.
Maven
<dependency>
<groupId>com.joonsang.graylog</groupId>
<artifactId>graylog-query-builder</artifactId>
<version>1.0.4</version>
</dependency>
Gradle
implementation group: 'com.joonsang.graylog', name: 'graylog-query-builder', version: '1.0.4'
GraylogQuery.builder()
.field("type", "ssh")
.and().exists("id")
.and().openParen()
.raw("source:(dog.org OR cat.org)")
.closeParen()
.and().range("http_response_code", "[", 200, 300, "]")
.build();
Above code snippet generates the string below.
type:"ssh" AND _exists_:id AND ( source:(dog.org OR cat.org) ) AND http_response_code:[200 TO 300]
Messages that include the term or phrase.
Usage:
GraylogQuery.builder()
.term("ssh")
.build();
Output:
"ssh"
Messages that include similar term or phrase.
Usage:
GraylogQuery.builder()
.fuzzTerm("ssh logni")
.build();
Output:
"ssh logni"~
Usage:
GraylogQuery.builder()
.fuzzTerm("ssh logni", 1)
.build();
Output:
"ssh logni"~1
Messages that have the field.
Usage:
GraylogQuery.builder()
.exists("type")
.build();
Output:
_exists_:type
Messages where the field includes the term or phrase.
Usage:
GraylogQuery.builder()
.field("type", "ssh")
.build();
Output:
type:"ssh"
Messages where the field includes the number.
Usage:
GraylogQuery.builder()
.field("http_response_code", 500)
.build();
Output:
http_response_code:500
Messages where the field satisfies the condition.
Usage:
GraylogQuery.builder()
.field("http_response_code", ">", 500)
.build();
Output:
http_response_code:>500
Messages where the field includes similar term or phrase.
Usage:
GraylogQuery.builder()
.fuzzField("source", "example.org")
.build();
Output:
source:"example.org"~
Usage:
GraylogQuery.builder()
.fuzzField("source", "example.org", 1)
.build();
Output:
source:"example.org"~1
Ranges in square brackets are inclusive, curly brackets are exclusive and can even be combined.
Usage:
GraylogQuery.builder()
.range("bytes", "{", 0, 64, "]")
.build();
Output:
bytes:{0 TO 64]
The dates needs to be UTC.
Usage:
GraylogQuery.builder()
.range("timestamp", "[", "2019-07-23 09:53:08.175", "2019-07-23 09:53:08.575", "]")
.build();
Output:
timestamp:["2019-07-23 09:53:08.175" TO "2019-07-23 09:53:08.575"]
Raw query.
Usage:
GraylogQuery.builder()
.raw("/ethernet[0-9]+/")
.build();
Output:
/ethernet[0-9]+/
Usage:
GraylogQuery.builder()
.term("ssh")
.and().term("login")
.build();
Output:
"ssh" AND "login"
Usage:
GraylogQuery.builder()
.term("ssh")
.or().term("login")
.build();
Output:
"ssh" OR "login"
Usage:
GraylogQuery.builder()
.not().exists("type")
.build();
Output:
NOT _exists_:type
Usage:
GraylogQuery.builder()
.exists("type")
.and().openParen()
.term("ssh")
.or().term("login")
.closeParen()
.build();
Output:
_exists_:type AND ( "ssh" OR "login" )
Sometimes you might want to compose dynamic queries by condition.
Usage:
GraylogQuery query = GraylogQuery.builder()
.not().exists("type");
GraylogQuery.builder(query)
.and().term("ssh")
.build();
Output:
NOT _exists_:type AND "ssh"
Usage:
GraylogQuery query = GraylogQuery.builder()
.or().exists("type");
GraylogQuery.builder()
.term("ssh")
.append(query)
.build();
Output:
"ssh" OR _exists_:type
There are other versions of the Graylog Query Builder library.