Some RHEV REST API search queries for events return no records
Environment
RHEV 3.0
Issue
When we use the REST API to search for events that meet a particular criteria we don't get any records returned even though we know the events exist.
The following works and will return all events.
curl -X GET -H "Accept: application/xml" -H "Content-Type: application/xml" -k -u admin@internal:PASSWORD 'https://rhevm-test.example.com:8443/api/events'
If I search for a Severity of error it returns all records of normal severity.
curl -X GET -H "Accept: application/xml" -H "Content-Type: application/xml" -k -u admin@internal:PASSWORD 'https://rhevm-test.example.com:8443/api/events?search=severity%3Derror'
If I search for code or type I get nothing. Time is also another one that returns nothing.
curl -X GET -H "Accept: application/xml" -H "Content-Type: application/xml" -k -u admin@internal:PASSWORD 'https://rhevm-test.example.com:8443/api/events?search=code%3C59'
curl -X GET -H "Accept: application/xml" -H "Content-Type: application/xml" -k -u admin@internal:PASSWORD 'https://rhevm-test.example.com:8443/api/events?search=code%3C59&from=600000'
We want to be able to query for certain types of events that are older or younger than a particular time but if we use the codes below we get no events returned even if we see the events when we don't apply a search.
Resolution
The search query for events follows the basic format outlined in the following sections of the manuals:
However there are several caveats:
1) type can not be searched comparatively, comparison of < or > is not supported.
2) the time field although named 'time' can only be searched based on date format.
3) the 'from' constraint is not a temporal constraint as one might quite naturally infer, it is based on the search from a specific audit_log_id. It is included as a separate url parameter from the search parameter.
4) you must wrap urls in curl / wget calls with '' otherwise & is interpreted as background process request by the bash shell.
5) url quote < or > signs etc. You can use python and urllib to check your calls:
python
import urllib
urllib.quote('time<12/12/2012 and time>10/12/2012 order by time asc')
=> 'time%3C12/12/2012%20and%20time%3E10/12/2012%20order%20by%20time%20asc
The following outlines some queries and the emitted SQL to the database to indicate the search process.
Find events that are between 12 October and 12 December where vm status is up:
'time<12/12/2012 and time>10/12/2012 and vms.status=up'
curl -X GET -H "Accept: application/xml" -H "Content-Type: application/xml" -k -u admin@internal:xxxxxx 'https://server:8443/api/events?search=time%3C12/12/2012%20and%20time%3E10/12/2012%20and%20vms.status%3dup'
SELECT * FROM (SELECT * FROM audit_log WHERE ( audit_log_id > 0 and audit_log_id IN (SELECT audit_log.audit_log_id FROM audit_log LEFT OUTER JOIN vms_with_tags ON audit_log.vm_id=vms_with_tags.vm_guid WHERE ( ( audit_log.log_time < 'Dec 12, 2012 12:00 AM' AND audit_log.log_time > 'Oct 12, 2012 12:00 AM' ) AND vms_with_tags.status = '1' ))) ORDER BY audit_log_id DESC ) as T1 OFFSET (1 -1) LIMIT 100
Search for events before "November 9, 2012". Note you can use this or the mm/dd/yyyy format. Note in this case you need to wrap the long format date in double quotes:
'time<"November 9, 2012" sortby time asc'
curl -X GET -H "Accept: application/xml" -H "Content-Type: application/xml" -k -u admin@internal:xxxxx 'https://server:8443/api/events?search=time%3C%22November%209%2C%202012%22%20sortby%20time%20asc'
SELECT * FROM (SELECT * FROM audit_log WHERE ( audit_log_id > 0 and audit_log_id IN (SELECT audit_log.audit_log_id FROM audit_log WHERE audit_log.log_time < 'Nov 9, 2012 12:00 AM' )) ORDER BY audit_log_id DESC ) as T1 OFFSET (1 -1) LIMIT 10
Search for yesterdays events:
'time=yesterday and severity=error sortby time desc'
curl -X GET -H "Accept: application/xml" -H "Content-Type: application/xml" -k -u admin@internal:xxxxxx 'https://server:8443/api/events?search=time%3Dyesterday%20sortby%20time%20desc'
SELECT * FROM (SELECT * FROM audit_log WHERE ( audit_log_id > 0 and audit_log_id IN (SELECT audit_log.audit_log_id FROM audit_log WHERE ( audit_log.log_time between 'Nov 11, 2012 12:00 AM' and 'Nov 12, 2012 12:00 AM' AND audit_log.severity = '0' ))) ORDER BY log_time DESC) as T1 OFFSET (1 -1) LIMIT 100
Search for specific type of events within a date range:
'time<12/12/2012 and time>10/12/2012 and type=50'
curl -X GET -H "Accept: application/xml" -H "Content-Type: application/xml" -k -u admin@internal:xxxxxx 'https://server:8443/api/events?search=time%3C12/12/2012%20and%20time%3E10/12/2012%20and%20type%3D50'
SELECT * FROM (SELECT * FROM audit_log WHERE ( audit_log_id > 0 and audit_log_id IN (SELECT audit_log.audit_log_id FROM audit_log WHERE ( ( audit_log.log_time < 'Dec 12, 2012 12:00 AM' AND audit_log.log_time > 'Oct 12, 2012 12:00 AM' ) AND audit_log.log_type = '50' ))) ORDER BY audit_log_id DESC ) as T1 OFFSET (1 -1) LIMIT 100
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
