PHP version of Graylog Search Query Builder especially useful for working with Graylog REST API.
PHP versions 7.0 up to PHP 7.4 are currently supported. Graylog Query Builder for PHP is recommended to use composer to install the library.
Add php-graylog-query-builder to composer.json either by running composer:
$ composer require debugrammer/php-graylog-query-builder
or by defining it manually:
"require": {
"debugrammer/php-graylog-query-builder": "~1.0"
}
use GraylogQueryBuilder\GraylogQuery as GraylogQuery;
GraylogQuery::builder()
->field('type', 'ssh')
->and()->exists('id')
->and()->openParen()
->raw('source:(dog.org OR cat.org)')
->closeParen()
->and()->range('http_response_code', '[', 200, 300, ']')
->build();
Above code snippet generates the string below.
type:"ssh" AND _exists_:id AND ( source:(dog.org OR cat.org) ) AND http_response_code:[200 TO 300]
Messages that include the term or phrase.
Usage:
GraylogQueryBuilder\GraylogQuery::builder()
->term('ssh')
->build();
Output:
"ssh"
Messages that include similar term or phrase.
Usage:
GraylogQueryBuilder\GraylogQuery::builder()
->fuzzTerm('ssh logni')
->build();
Output:
"ssh logni"~
Usage:
GraylogQueryBuilder\GraylogQuery::builder()
->fuzzTerm('ssh logni', 1)
->build();
Output:
"ssh logni"~1
Messages that have the field.
Usage:
GraylogQueryBuilder\GraylogQuery::builder()
->exists('type')
->build();
Output:
_exists_:type
Messages where the field includes the term or phrase.
Usage:
GraylogQueryBuilder\GraylogQuery::builder()
->field('type', 'ssh')
->build();
Output:
type:"ssh"
Messages where the field includes the number.
Usage:
GraylogQueryBuilder\GraylogQuery::builder()
->field('http_response_code', 500)
->build();
Output:
http_response_code:500
Messages where the field satisfies the condition.
Usage:
GraylogQueryBuilder\GraylogQuery::builder()
->opField('http_response_code', '>', 500)
->build();
Output:
http_response_code:>500
Messages where the field includes similar term or phrase.
Usage:
GraylogQueryBuilder\GraylogQuery::builder()
->fuzzField('source', 'example.org')
->build();
Output:
source:"example.org"~
Usage:
GraylogQueryBuilder\GraylogQuery::builder()
->fuzzField('source', 'example.org', 1)
->build();
Output:
source:"example.org"~1
Ranges in square brackets are inclusive, curly brackets are exclusive and can even be combined.
Usage:
GraylogQueryBuilder\GraylogQuery::builder()
->range('bytes', '{', 0, 64, ']')
->build();
Output:
bytes:{0 TO 64]
The dates needs to be UTC.
Usage:
GraylogQueryBuilder\GraylogQuery::builder()
->range('timestamp', '[', '2019-07-23 09:53:08.175', '2019-07-23 09:53:08.575', ']')
->build();
Output:
timestamp:["2019-07-23 09:53:08.175" TO "2019-07-23 09:53:08.575"]
Raw query.
Usage:
GraylogQueryBuilder\GraylogQuery::builder()
->raw('/ethernet[0-9]+/')
->build();
Output:
/ethernet[0-9]+/
Usage:
GraylogQueryBuilder\GraylogQuery::builder()
->term('ssh')
->and()->term('login')
->build();
Output:
"ssh" AND "login"
Usage:
GraylogQueryBuilder\GraylogQuery::builder()
->term('ssh')
->or()->term('login')
->build();
Output:
"ssh" OR "login"
Usage:
GraylogQueryBuilder\GraylogQuery::builder()
->not()->exists('type')
->build();
Output:
NOT _exists_:type
Usage:
GraylogQueryBuilder\GraylogQuery::builder()
->exists('type')
->and()->openParen()
->term('ssh')
->or()->term('login')
->closeParen()
->build();
Output:
_exists_:type AND ( "ssh" OR "login" )
Sometimes you might want to compose dynamic queries by condition.
Usage:
$query = GraylogQueryBuilder\GraylogQuery::builder()
->not()->exists('type');
GraylogQueryBuilder\GraylogQuery::builder($query)
->and()->term('ssh')
->build();
Output:
NOT _exists_:type AND "ssh"
Usage:
$query = GraylogQueryBuilder\GraylogQuery::builder()
->or()->exists('type');
GraylogQueryBuilder\GraylogQuery::builder()
->term('ssh')
->append($query)
->build();
Output:
"ssh" OR _exists_:type