Export Search Results

The following article exclusively pertains to a Graylog Enterprise feature or functionality. To learn more about obtaining an Enterprise license, please contact the Graylog Sales team.

Graylog Enterprise supports the following formats for exporting log data from your search result:

• Comma-Separated Values (CSV) (also available in Graylog Open) 

• GELF (Newline-delimited)

• JSON

• Log File/Plain Text

• NDJSON (Newline-delimited JSON)

Export Search Results

To export your search results as an external file:

1. Select the ellipsis to the right of the Share button next to the search bar.

2. Select Export.

3. This will open a menu where you may select your preferred output type, which fields to include in the export, and a message limit if desired.

   • Fields to export: The initial fields selected are based on the message table configured for the search; however, you may include additional fields as required.

   • Messages limit (optional): Please note that messages are loaded in chunks of fixed size, and because the final chunk will rarely end exactly at that fixed size, it is likely that the total number of messages exported will slightly exceed the number defined by the user.

4. Click on Start Download.

Export Search Results as GELF

It is possible to export the results of your search to newline-delimited GELF format. Once exported, the resulting messages can be replayed directly to one of the supported GELF inputs in Graylog

Sample Exported Messages

{"timestamp":1696947690.329,"version":"1.1","host":"graylog.org","short_message":"2023-10-10T14:20:53.703Z GET /posts/45326 [200] 48ms","_http_method":"GET","_action":"show"}
{"timestamp":1696947690.331,"version":"1.1","host":"graylog.org","short_message":"2023-10-10T14:20:54.000Z GET /posts [200] 61ms","_http_method":"GET","_action":"index"}
{"timestamp":1696947690.331,"version":"1.1","host":"graylog.org","short_message":"2023-10-10T14:20:54.252Z GET /posts/45326 [200] 61ms","_http_method":"GET","_action":"show"}
{"timestamp":1696947690.331,"version":"1.1","host":"graylog.org","short_message":"2023-10-10T14:20:54.573Z GET /login [200] 57ms","_http_method":"GET","_action":"login"}
{"timestamp":1696947690.331,"version":"1.1","host":"graylog.org","short_message":"2023-10-10T14:20:54.876Z GET /posts [200] 60ms","_http_method":"GET","_action":"index"}

Sometimes, it may be useful to export messages in GELF format and override the time stamp of all messages to the current or a preferred date/time. This is possible by setting the optional Graylog server configuration property: export_gelf_use_now_timestamps=false.