This is a Graylog Enterprise feature and is only available since Graylog v3.3+. A valid Graylog Enterprise license is required.

Graylog's search filters are designed to help you find specific log messages. With the right search syntax, you can build complex queries and mix filter criteria from other filters to refine your results.

You can save a search filter as a snippet, which you can combine with other filters or queries using the AND operator. Search filters let you exercise more control over your searches by allowing you to perform custom actions on your search results.

This guide will show you how to add a search filter to your searches, create new filters, save them for future use, and share them with others.

Adding a Search Filter

There are two ways to add a filter to a search. Users can either select from their already existing filter collection or create new filters.

Select from Already Existing Filters (“My Filters”)

  • Click on the folder icon next to the Filters button to open your list of saved filters.

  • Expand filter details by clicking on the drop down arrow against the selected filter.

  • After you select the filter, it appears in the search filters bar.

HintYou can also hold the Shift button to select multiple search filters.

Create a New Search Filter

  • Click on the “+” icon, and in the pop-up box that appears, create a new search filter by:

    – Inputting a query into the search query field.

    – Giving the search filter a title and a description (optional).

When creating search filters, save your search filters in the “My Filters” collection. These filters are referenced in subsequent searches, so any changes made to them will affect all searches where these filters are used. Inline filters, on the other hand, are only saved for the current search. This allows users to edit them without worrying about affecting other searches.

Saving Searches with Filters

Users can save their searches with filters for future use by clicking on the Save button. When saving a search with filters, all filter references will be persisted. This means that Graylog will remember which filters were used in the query and automatically apply them when loading the search.

This is useful when you want to quickly investigate a certain problem that occurs sporadically to filter out all irrelevant messages. You can simply use a saved search filter to generate targeted results rather than creating a new query.

When you share a saved search that includes filters, every user who has access to the saved search can interact with its filters, even when they are referenced.

Share a filter with any users (with your own or managed permissions) to allow them to edit the filter directly.

Sharing Saved Filters

Shared search filters can be helpful for team collaboration as well as for sharing best practices within an organization. For example, a team may want to share a filter used for troubleshooting purposes with other teams, or an organization might want to share a filter that highlights important log data for all users to see.

To Share a Saved Search Filter

  • Click on the folder icon and select the saved filter you intend to share.

  • Click on the drop-down menu for the selected saved filter and select Share from the options list.

  • In the resulting window search and select the user you intend to share the search filter with. Then click the Add Collaborator button, and click the Save button.

Actions with Search Filters

Disable and Enable 

To disable or enable filters, click on the search filter title check box and a strike-through line will inform the user if a filter is enabled or disabled.

Disabled filters will stay in the saved search. 

Exclude and Include from the Result

To exclude the search query of a selected search filter from results, select the search filter to be excluded, expand on the drop-down menu associated with the selected search filter, and click on Exclude from results.

This will add the NOT operator to the search filter query.

Editing

  • To edit search filters, click on the Edit button from the drop-down menu beneath the search filter name.

  • Editing a referenced filter (saved in My filters) will affect all searches where that particular filter is in use; to prevent this, create an inline filter by checking the Create copy for current search selection box.

  • Save to My filters.

  • Users can also save already created inline filters to My filters by selecting Save to "My Filters" from the filter's drop-down menu.

Other actions in this menu include:

  • Remove: This removes a filter from the search.

  • Copy query to clipboard: This will copy filter query to your clipboard.

My Filters

The best way to find information on usage of your filters is to navigate to the My Filters page. You can do so by selecting Enterprise, then My Search Filters. This page provides an overview of all saved searches that reference search filters, including who is using the saved searches, which dashboard widgets utilize the saved search filter, and where they are being used. Users can also share, edit, or delete their filters from this page.

You can also select a saved search filter to view more details.

If a user attempts to edit or delete a saved search query, a pop-up notification appears, informing the user that the query is being referenced in a saved search and that changes to the filter will affect the search results of the saved search wherever it is referenced.