Export Search Results

Graylog lets you export search results so you can review data outside the web interface, share results with other stakeholders, or use the output in external reporting and analysis workflows. Export behavior depends on the widget type, selected format, and license level, and some export options apply only to tabular widgets.

This article covers the available export formats, how to export search results from the Search page and dashboards, how to include decorated fields, how to export the full message, and what to check if an export does not behave as expected.

Supported Export Formats

The export file formats available vary based on the type of widget as well as user license.

Hint: Graylog Enterprise users can export all widget types and supported formats. However, Graylog Open users can export only message table widgets in CSV format.

Aggregation Widgets

For aggregation widgets, you can export the following formats:

  • CSV

  • JSON

  • PDF

  • YAML

  • XLSX

  • XML

Other Widget Types

For all other widget types, you can export the following formats:

  • CSV

  • GELF (newline-delimited)

  • JSON

  • NDJSON (newline-delimited JSON)

  • Log file / plain text

  • PDF

See Widgets for information about the different types of widgets and how to build them.

Export Search Results from the Search Page

To export your search results as an external file:

  1. From the Search page, click the ellipsis to the right of the Share button on the Search bar, then select Export.

    Hint: If your search page includes multiple message table widgets, you are shown a dialog to choose which table to export. The export can include only one table.

  2. Select the file format to export.

  3. Select which fields to include in the export. The initial fields selected are based on the message table configured for the search. Choose additional fields as required from the drop-down list.

  4. (Optional) Add a message limit if desired. If no limit is applied, all applicable data is included in the export.

    Messages are loaded in chunks of a fixed size, and because the final chunk rarely ends exactly at that fixed size, the total number of messages exported will likely slightly exceed the limit defined by the user.

  5. Click Start Download.

Additionally, you can export any widget directly by clicking the Export widget icon on the widget itself. For widgets that display data in tables (for instance, "All Messages" or "Log View"), the process is the same as described above. For other widget types (for instance, "Message Count" or "Events Overview"), you can select only the output format.

Export Search Results from a Dashboard

You can export search results from a dashboard in much the same way as from the Search page or saved searches. You can use the Export option on the search bar, which applies only to tabular widgets, or you can click the Export widget icon on any widget.

Hint: If you use the search bar Export and your dashboard includes tables across multiple pages, all tables are available to select when you are required to select which table to export. Note that if the dashboard does not include any tabular widgets, the search bar Export option is not valid.

When you export a widget, the result includes the values currently displayed on the dashboard. Remember that each widget in a dashboard has its own search criteria, but the dashboard's search bar functions as a filter. Therefore, if you have a search filter applied, an export includes only the filtered results. If you want to export the search results of the defined widget, make sure to clear the dashboard's search bar.

Export Decorated Fields

While search export supports fields created by decorators, they are not listed in the fields select options list and must be created manually. Note that decorator support is available only for tabular widgets.

When you want to export a decorated field, enter its name in the field select and click the option Create field_name. To verify that a decorated field is available in the current search, open a widget's edit panel by clicking the Edit icon. You can find any available decorators listed.

Export the Full Message

If you want to export the full original message, keep in mind that it must be present in the stored message. Some Graylog inputs and file shippers can be configured to store the original message in the full_message field. Often, the message field can be used to export the entire, unparsed message.

Troubleshooting and Common Issues

The following section outlines troubleshooting steps for common issues to assist you in resolving potential challenges you may encounter.

Issue: Export does not start or does not contain the expected result

Depending on the number of messages, the export can take a while. Check the Graylog server logs to monitor export progress in more detail.

Solution: Check logs and reduce export scope

If the download never starts or the document does not contain the expected result, review the Graylog server logs for possible problems. You might also try filtering or segmenting the data to avoid large downloads and focus on specific content you require.

Issue: Exported results are not sorted as expected

Exporting search results does not necessarily preserve sorting because Graylog uses the virtual _doc field to "sort" documents for performance reasons.

Solution: Use supported export types or post-process the file

All aggregation widgets preserve your sort order, as do all exports to PDF format. If you need the exported data ordered, post-process the downloaded file using an external tool.

Further Reading

Explore the following additional resources and recommended readings to expand your knowledge on related topics: