Graylog supports a wide variety of widgets that allow you to quickly visualize data from your logs. A widget is either an Aggregation or a Message Table. This section gives you information to better understand each widget type and how they can provide you with relevant details for the many logs you receive.

A widget can be freely placed inside a query and can be edited or duplicated by clicking the chevron at the top right corner of the widget. When you select Copy to Dashboard, you can choose from a list of existing dashboards, or place the widget in a new dashboard by selecting the check box.

Create a Widget

To add a widget to your search or dashboard, click Create (+ ) in the sidebar.

You can create an empty aggregation or a predefined aggregation by selecting a listed option such as:Message Table or Message Count.

To include all available investigations in your search, select the Investigations Overview widget, seen below.

Aggregation

The goal of an aggregation is to reduce the number of data points in a meaningful way to get a result. Data points can be numeric field types in a message, like a took_ms field that contains information on how much time a page took to be rendered. Data points can also be string values that may be used to group an aggregation. For example, an action field which contains the name of the controller action.

Configure an Aggregation

After you have created an empty widget, click the pen icon found in the top right corner of the widget or click Edit to open the widget edit modal.

Group By

This option allows you to group your chart by rows and columns. When you create a new group using Group By, the values you select get rolled up into the result. This result can be presented in a variety of ways. You may present the data as a table, chart or colored visualization.

At a glance, if timestamp is a field attributed to a row it will divide data points into intervals. Otherwise the aggregation will take up to 15 elements of the selected field by default and it will apply the selected metrics function to the data points.

Example

The timestamp field is aggregated with avg() on took_ms. The column action will give the average loading time for a page per action for every 5 minutes.

Metrics

Metrics are a collection of functions that aggregate data points. The result of the aggregation depends on the grouping of rows and/or columns. The data points of a field will be aggregated to the grouping.

Example

The avg() function will find the average of the numeric data points of took_ms around the configured grouping.

Visualizations

In order to display the result of an aggregation it is often easier to compare lots of result values in a graphic. An Area Chart, Bar Chart, Heatmap, Data Table, Line Chart, Pie Chart, Scatter Plot, Single Number or World Map can be used for visualization. A World Map needs geographical points in the form of latitude, longitude.

Sorting and Direction

The order of result values can be configured here. Sorting defines which field the sorting should be done by and direction configures whether it will be ascending or descending.

Interpolation

Visualizations like the Area Chart and Line Chart support different interpolation types. Available interpolation types are Linear, Step-after and Spline.

Event Annotations

All visualizations which can display a time line (Area Chart, Bar chart, Line Chart, Scatter Plot) support event annotations. Each event will be displayed as an entry on the time axis.

The Message Table

The Message Table displays the messages and their fields. The Message Table can be configured to show the message fields and the actual message. The actual message is in the row below the fields. Clicking on a message row opens the detailed view of a message with all its fields.

The Percentage Metric

The percentage metric helps to display results in the form of percentages instead of raw numbers. In some cases, percentages are easier to read and provide better insight into results. Results can be represented as percentages in bar charts, pie charts, and message tables.

To apply the percentage metric to your search results:

  1. Click the + icon in the left side bar.

  2. Select aggregation from among the options. An empty widget will appear.

  3. Click Edit and select percentage as the function.

Percentage Metric Use Case

Let's say an analyst wants to understand which controllers are receiving the most amount of calls and how much difference there is between each. They could quickly reach an opinion by viewing a comparison of the percentage of calls over controllers in a chart like the one below. Here the count metric displays the number of messages received from three different message controllers.

The Percentile Metric

The percentile metric helps to display the percentile or the relative standing of a certain value compared to the total. To apply the percentile metric to your search results:

  • Click the + icon in the left side bar.

  • Select Aggregation from among the options. An empty widget will appear.

  • Click Edit and select Percentile as the function.

You may then select the field you are looking for along with a percentile value from the drop down menu.

Percentile Metric Use Case

You have a web server application that reports its response times as GELF messages which are ingested by your Graylog instance. You wish to understand your application’s 90th, 95th, and 99th percentile response times. These response times could be noted as the normal range.

Value and Field Actions

Values and fields are visible in the Sidebar and in Data Tables and Detail Message Rows. When you click a value or a field you will get a context menu. You can use this to execute different actions.

Field Actions

Various Field actions are displayed based on field type and location whenever a field name (not its value) is clicked on.

  • Chart: This will generate a new Widget containing a line chart where the field's average value is displayed over time. This chart can be taken as a starting point for a more defined aggregation. This is only possible in fields that are numerical.

  • Show top values: This action will generate a new Widget containing a data table where the field values are listed in rows and the number of occurrences will be displayed next to it. This was formerly known as the “Quick Values” action.

  • Statistics: Here field values are given to various statistics functions depending on field type. The result will be displayed in a Data Table Widget.

  • Add to table: Add the field to the displayed fields of the Message Table where the Field Actions menu is shown.

  • Add to all tables: Add the field to the displayed fields of all tables.

  • Remove from table: Remove the field from the list displayed fields in this table.

  • Remove from all tables: Remove the field from the list displayed fields in all tables.

Value Actions

Value actions produce different results depending on the type of value and where the menu is opened. The following actions can be executed.

  • Insert into view: This action will open up a modal where a view can be selected. A selectable list of Parameters will appear in the selected view. After choosing a parameter a new browser tab which contains the view with the value used in the parameter will appear. This action is only available in Graylog Enterprise.

  • Exclude from results: Will add to the query to exclude all results where the field contains the value of the value action.

  • Add to query: Will add NOT field:value to the query to filter the results additionally for where the field has the value of the value action.

  • Use in new query: Will add field:value open a new view tab with a query string.

  • Show documents for value: This is available in Data Tables. It will display documents which were aggregated to display this value.

  • Create extractor: This provides a short cut to create an extractor for values of type string in Message Tables.

  • Highlight this value: This action will highlight this value for this field in all Message Tables and Data Tables.

Reposition and Resize

Widgets can be freely placed inside the search result grid. You can drag and drop them with the three lines to the left of the widget name or you can resize them by using the gray arrow in the bottom-right corner. To expand a widget to full grid width, click the arrow in its top-right corner.

If you want to expand the view of aggregated data in your Log View widget, see Focus on the Widget.