Export Search Results

You can export your search results to a variety of document formats so that you can perform additional analysis of the data, create targeted reports, or other tasks you might require. Remember that you can add widgets to your search results page to get different visualizations of the data. When you export search results, you can export data based on the default All Messages table or any widget you have added.

The export file formats available vary based on the type of widget as well as user license.

Hint: Graylog Enterprise users can export all widget types and all the listed formats. However, Graylog Open users can export only message table widgets in CSV format.

For aggregation widgets, you can export the following formats:

  • CSV

  • JSON

  • PDF

  • YAML

  • XLSX

  • XML

For all other widget types, you can export the following formats:

  • CSV

  • GELF (newline-delimited)

  • JSON

  • NDJSON (newline-delimited JSON)

  • Log file/plain text

  • PDF

See Widgets for information about the types of widgets and how to create them.

Export Search Results

To export your search results as an external file:

  1. From the Search page, click the ellipsis to the right of the Share button on the Search bar, then select Export.

    Hint: If your search page includes multiple message table widgets, you are shown a dialog to choose which table to export. The export can include only one table.

  2. Select the file format to export.

  3. Select which fields to include in the export. The initial fields selected are based on the message table configured for the search. Choose additional fields as required from the drop-down list.

  4. (optional) Add a message limit if desired. If no limit is applied, all applicable data is included in the export.

    Messages are loaded in chunks of a fixed size, and because the final chunk rarely ends exactly at that fixed size, the total number of messages exported will likely slightly exceed the limit defined by the user.

  5. Click Start Download.

Additionally, you can export any widget directly by clicking the Export widget icon on the widget itself. For widgets that display data in tables (for instance, All Messages or Log View), the process is the same as described above. For other widget types (for instance, Message Count or Events Overview), you only have the option to select the output format.

Exporting Search Results on a Dashboard

You can export search results from a dashboard in much the same way as from the Search page or saved searches. You can use the Export option on the search bar, which applies only to tabular widgets, or you can click the Export widget icon on any widget.

Hint: If you use the search bar Export and your dashboard includes tables across multiple pages, all tables are available to select when you are required to select which table to export. Note that if the dashboard does not include any tabular widgets, the search bar Export option is not valid.

When you export a widget, the result includes the values currently displayed on the dashboard. Remember that each widget in a dashboard has its own search criteria, but the dashboard’s search bar functions as a filter. Therefore, if you have a search filter applied, an export includes only the filtered results. If you want to export the search results of the defined widget, make sure to clear the dashboard’s search bar.

Decorator Support

While search export supports fields created by decorators, they are not listed in the fields select options list and must be created manually. Note that decorator support is available only for tabular widgets

When you want to export a decorated field, enter its name in the field select and click the option Create field_name. To verify that a decorated field is available in the current search, open a widget’s edit panel by clicking the Edit icon. You can find any available decorators listed.

Exporting the Full Message

If you want to export the full original message, keep in mind that it must be present in the stored message. Some Graylog inputs and file shippers can be configured to store the original message in the full_message field. Often, the message field can be used to export the entire, unparsed message.

Troubleshooting

Depending on the number of messages, the export can take a while. If the download never starts or the document does not contain the expected result, look at the server.log for possible problems. You might also try filtering or segmenting the data to avoid large downloads and focus on specific content you require.

Warning: Exporting search results does not necessarily preserve sorting because Graylog uses the virtual _doc field to “sort” documents for performance reasons. All aggregation widgets will preserve your sort order as well as all exports to PDF format. If you need to have the exported data ordered, you might need to post-process the downloaded file via other means.