Graylog Query Builder for JavaScript

JavaScript version of Graylog Search Query Builder especially useful for working with Graylog REST API.

Installation

npm install js-graylog-query-builder

Usage

const GraylogQuery = require('js-graylog-query-builder')

GraylogQuery.builder()
  .field('type', 'ssh')
  .and()
  .exists('id')
  .and()
  .openParen()
  .raw('source:(dog.org OR cat.org)')
  .closeParen()
  .and()
  .range('http_response_code', '[', 200, 300, ']')
  .build()

Above code snippet generates the string below.

type:"ssh" AND _exists_:id AND ( source:(dog.org OR cat.org) ) AND http_response_code:[200 TO 300]

Building Queries

1. Statements

1.1. Term

Messages that include the term or phrase.

Usage:

GraylogQuery.builder()
  .term('ssh')
  .build()

Output:

"ssh"

1.2. Fuzz Term

Messages that include similar term or phrase.

1.2.1. Fuzziness with default distance

Usage:

GraylogQuery.builder()
  .fuzzTerm('ssh logni')
  .build()

Output:

"ssh logni"~

1.2.2. Fuzziness with custom distance

Usage:

GraylogQuery.builder()
  .fuzzTerm('ssh logni', 1)
  .build()

Output:

"ssh logni"~1

1.3. Exists

Messages that have the field.

Usage:

GraylogQuery.builder()
  .exists('type')
  .build()

Output:

_exists_:type

1.4. Field

1.4.1. Field (String)

Messages where the field includes the term or phrase.

Usage:

GraylogQuery.builder()
  .field('type', 'ssh')
  .build()

Output:

type:"ssh"

1.4.2. Field (Numeric)

Messages where the field includes the number.

Usage:

GraylogQuery.builder()
  .field('http_response_code', 500)
  .build()

Output:

http_response_code:500

1.4.3. One side unbounded range query

Messages where the field satisfies the condition.

Usage:

GraylogQuery.builder()
  .opField('http_response_code', '>', 500)
  .build()

Output:

http_response_code:>500

1.5. Fuzz Field

Messages where the field includes similar term or phrase.

1.5.1. Fuzziness with default distance

Usage:

GraylogQuery.builder()
  .fuzzField('source', 'example.org')
  .build()

Output:

source:"example.org"~

1.5.2. Fuzziness with custom distance

Usage:

GraylogQuery.builder()
  .fuzzField('source', 'example.org', 1)
  .build()

Output:

source:"example.org"~1

1.6. Range

1.6.1. Range query

Ranges in square brackets are inclusive, curly brackets are exclusive and can even be combined.

Usage:

GraylogQuery.builder()
  .range('bytes', '{', 0, 64, ']')
  .build()

Output:

bytes:{0 TO 64]

1.6.2. Date range query

The dates needs to be UTC.

Usage:

GraylogQuery.builder()
  .range('timestamp', '[', '2019-07-23 09:53:08.175', '2019-07-23 09:53:08.575', ']')
  .build()

Output:

timestamp:["2019-07-23 09:53:08.175" TO "2019-07-23 09:53:08.575"]

1.6. Raw

Raw query.

Usage:

GraylogQuery.builder()
  .raw('/ethernet[0-9]+/')
  .build()

Output:

/ethernet[0-9]+/

2. Conjunctions

2.1. And

Usage:

GraylogQuery.builder()
  .term('ssh')
  .and()
  .term('login')
  .build()

Output:

"ssh" AND "login"

2.2. Or

Usage:

GraylogQuery.builder()
  .term('ssh')
  .or()
  .term('login')
  .build()

Output:

"ssh" OR "login"

2.3. Not

Usage:

GraylogQuery.builder()
  .not()
  .exists('type')
  .build()

Output:

NOT _exists_:type

3. Parentheses

Usage:

GraylogQuery.builder()
  .exists('type')
  .and()
  .openParen()
  .term('ssh')
  .or()
  .term('login')
  .closeParen()
  .build()

Output:

_exists_:type AND ( "ssh" OR "login" )

Advanced Usage

Sometimes you might want to compose dynamic queries by condition.

1. Prepend Graylog query

Usage:

const query = GraylogQuery.builder()
  .not()
  .exists('type')

GraylogQuery.builder(query)
  .and()
  .term('ssh')
  .build()

Output:

NOT _exists_:type AND "ssh"

2. Append Graylog query

Usage:

const query = GraylogQuery.builder()
  .or()
  .exists('type')

GraylogQuery.builder()
  .term('ssh')
  .append(query)
  .build()

Output:

"ssh" OR _exists_:type