Graylog supports a wide variety of widgets which allow you to quickly visualize data from your logs. A widget is either a Message Table or an Aggregation. This section intends to give you some information to better understand each widget type and how they can help you see relevant details of the many logs you receive.
A widget can be freely placed inside a query. A widget can be edited or duplicated by clicking on the chevron at the top right corner of the widget.
Creating a Widget
To add a widget to your search or dashboard:
- Click on Create in the sidebar.
- You may also directly click on the plus sign (+ ).
You can create an empty Aggregation or a predefined widget by selecting Message Table or Message Count.
Empty aggregation widget:
Aggregation
The goal of an aggregation is to reduce the number of data points in a meaningful way to get an answer from them. Data points can be numeric field types in a message (e.g. a took_ms field which contains how long a page needed to be rendered). They can also be string values which may be used to group an aggregation (e.g an action field which contains the name of the controller action).
Configuring an Aggregation
As described in the previous section clicking on -> will create an empty widget on the very top of the search page. Clicking on the top right side will open the widget edit modal.
GROUP BY : This option allows you to “group” your chart by rows and columns. When you create a new group using Group By, the values you select get rolled up into the result. This result can be presented in a variety of ways. You may present the data as a table, chart or colored visualization.
At a glance, if timestamp is a field attributed to a row it will divide data points into intervals. Otherwise the aggregation will take up to 15 elements of the selected field by default and it will apply the selected METRICS function to the data points.
Example The timestamp field is aggregated with avg() took_ms. The column action will give the average loading time for a page per action for every 5 minutes.
METRICS :METRICS are a collection of functions to aggregate data points. The result of the aggregation depends on the grouping of ROWS and/or COLUMNS. The data points of a field will be aggregated to the grouping.
Example The avg()function will find the average of the numeric data points took_ms
VISUALIZATION : In order to display the result of an aggregation it is often easier to compare lots of result values in a graphic. An Area Chart, Bar Chart, Heatmap, Data Table, Line Chart, Pie Chart, Scatter Plot, Single Number World Map can be used for VISUALIZATION. A World Map latitude, longitude
SORTING/DIRECTION : The order of result values can be configured here. SORTING defines which field the sorting should be done by and DIRECTION configures whether it will be ascending descending.
INTERPOLATION : Visualizations like the Area Chart Line Chart Linear, Step-after Spline.
EVENT ANNOTATIONS : All visualizations which can display a timeline (Area Chart, Bar chart, Line Chart, Scatter Plot) support event annotations. Each event will be displayed as an entry on the time axis.
Message Table
The Message Table displays the messages and their fields. The Message Table can be configured to show the message fields and the actual message. The actual message is in the row below the fields. Clicking on a message row opens the detailed view of a message with all its fields.
Value and Field Actions
Values and fields are visible in the Sidebar and in Data Tables and Detail Message Rows. When you click on a value or a field you will get a context menu. You can use this to execute different actions.
Field Actions
Various Field actions are displayed based on field type and location whenever a field name (not its value) is clicked on.
Chart : This will generate a new Widget containing a line chart where the field's average value is displayed over time. This chart can be taken as a starting point for a more defined aggregation. This is only possible in fields that are numerical.
Show top values : This action will generate a new Widget containing a data table where the field values are listed in rows and the number of occurrences will be displayed next to it. This was formerly known as the “Quick Values” action.
Statistics : Here field values are given to various statistics functions depending on field type. The result will be displayed in a Data Table Widget.
Add to table : Add the field to the displayed fields of the Message Table where the Field Actions menu is shown.
Add to all tables : Add the field to the displayed fields of all tables.
Remove from table : Remove the field from the list displayed fields in this table.
Remove from all tables : Remove the field from the list displayed fields in all tables.
Value Actions
The value actions produce different results depending on the type of value and where the menu is opened. The following actions can be executed.
Insert into view : This action will open up a modal where a view can be selected. A selectable list of Parameters will appear in the selected view. After choosing a parameter a new browser tab which contains the view with the value used in the parameter will appear. This action is only available in Graylog Operations.
Exclude from results : Will add to the query to exclude all results where the field contains the value of the value action.
Add to query : Will add NOT field:value to the query to filter the results additionally for where the field has the value of the value action.
Use in new query : Will add field:value open a new view tab with a query string.
Show documents for value : This is available in Data Tables. It will display documents which were aggregated to display this value.
Create extractor : This provides a short cut to create an extractor for values of type string in Message Tables.
Highlight this value : This action will highlight this value for this field in all Message Tables and Data Tables.
Repositioning and Resizing
Widgets can be freely placed inside the search result grid. You can drag and drop them with the three lines to the left of the widget name or you can resize them by using the gray arrow in the bottom-right corner. To expand a widget to full grid width, click on the arrow in its top-right corner.
If you want to expand the view of aggregated data in your Log View widget, go to Focus on the Widget.
