Message summary templates customize how search results are displayed in Graylog by replacing the default preview with structured, information-rich summaries. Instead of expanding individual messages, key fields are displayed directly in the results list for faster scanning and comparison.
Templates use field placeholders in the format {field_name} to render specific message data. For example, [{gim_event_type}] {source_ip} - {destination_ip} displays the event type, source, and destination in a consistent, scannable layout. When combined with indicator templates, summaries can also include color coding to visually prioritize critical, successful, or informational events.
This article explains how to create and configure message summary templates, apply formatting best practices, and use indicator templates to improve search clarity and efficiency.
Prerequisites
Before proceeding, ensure that the following prerequisites are met:
-
You must have an active Graylog Illuminate license.
Highlights
The following highlights provide a summary of the key takeaways from this article:
-
Message summary templates enhance the presentation layer of search results by defining which fields appear in the collapsed message view and how they're formatted. When enabled, templates replace the default message display with a structured summary that highlights the most relevant information for your investigation workflow.
-
Without templates, search results show generic message previews requiring expansion to view details. With templates, each message displays a formatted summary containing the specific fields and context needed for analysis.
-
Templates use field placeholders (denoted with
{field_name}) to extract and display specific message fields in a custom format. For example,[{gim_event_type}]{source_ip} - {destination_ip} -
Use indicator templates to apply color coding to log message content. Critical events can appear in red (danger), successful operations in green (success), and informational messages in blue (info), enabling visual prioritization without reading each message.
Install Message Summary Templates
Message summary templates are delivered and updated as an Illuminate Content Pack. To install:
-
Navigate to Enterprise > Illuminate.
-
In the search bar, search for Message Summary.
-
Enable the spotlight pack titled Illuminate X.X.X:Message Summary Configurations.
For more details on contents of the Summary Template navigate to System > Content Packs and filter for Default Summary Templates.
Enable or Disable Message Summaries in Search View
By default, message summaries display automatically in any search view with a messages widget once the Illuminate X.X.X:Message Summary Configurations spotlight pack is installed. To control summary display:
-
Click the Edit icon at the top right of a widget.
-
From the Edit pane, select or deselect Show summary.
-
Click Update widget to apply new settings.
Template Entities
Message summary formatting uses three interconnected entities that determine both the summary format and visual presentation. These entities work together in a hierarchical relationship.
event_type_category: determines which templates to apply-
summary_template: defines the display format -
indicator_template: controls the color coding
When a log message arrives with a gim_event_subcategory field (like service.configuration), Graylog matches it to an event type category entity. That event type category references both a message summary template (which formats the display) and an indicator template (which applies color coding). The templates use field placeholders in curly braces like {field_name} that get replaced with actual values from your log messages.
For example, if you have a template with the summary format [Alert] service_name:{service_name} | user_name:{user_name}, and a log message contains service_name: "Windows Defender" and user_name: "User1234", the displayed summary becomes [Alert] service_name:Windows Defender | user_name:User1234.
Event Type Category
The event type category entity determines which messages receive specific summary and indicator templates based on the gim_event_subcategory field. This field combines the category and subcategory values with a dot separator to match messages to their appropriate templates. When a log message arrives with gim_event_subcategory=service.configuration, the system applies the associated summary template and indicator template defined for that category.
Event type categories reference templates by name using a specific naming convention. The summary_template field uses the format summaryTemplate.template_name to point to a reusable message summary template object, while the indicator_template field uses indicatorTemplate.template_name to point to an indicator template object. This reference structure allows multiple event categories to share the same templates when required for similar display formatting.
{
"title": "serviceStart",
"description": "Service Start Summary (schema v3.1)",
"category": "service",
"sub_category": "start",
"summary_template": "summaryTemplate.serviceCategory",
"indicator_template": "indicatorTemplate.serviceStateIndicator",
"default_indicator": "default"
}In this example, the category (service) and sub_category (start) combine to create the matching value service.start in the gim_event_subcategory field. When a log message contains gim_event_subcategory=service.start, the system applies the message summary template with template_id of serviceCategory and the indicator template with type of serviceStateIndicator. This automatic matching and template application happens during search result rendering, transforming raw log data into formatted, color-coded summaries without requiring manual configuration for each message.
Note that an explicit summary template might be used instead of pointing to the template by name:
summary_template: '[{gim_event_type}] {source_ip} - {destination_ip}'Indicator templates do not support explicit templates. They always point to one in the indicator template collection.
Message Summary Templates
Message summary templates are reusable template objects that control the message format. They must be referenced by the event type category summary_template field using the summaryTemplate.template_name format. These templates define how log messages appear in the collapsed search results view by specifying which fields to display and how to arrange them using field placeholders. They include the following fields:
-
template_id: The unique reference ID to be used by other entities. -
summary: The desired message format, with field placeholders denoted with curly braces{<field_name>}. -
title: A plain language title. -
(Optional)
description: A plain language description.
{
"template_id" : "serviceCategory",
"summary" : "[{gim_event_type}] service_name:{service_name} | user_name:{user_name}",
"title" : "service category template",
"description" : "Basic service category message template for schema v3.1"
}In this example, the template with template_id of serviceCategory can be referenced by event type categories using summaryTemplate.serviceCategory. When applied to a log message containing gim_event_type: “service error”, service_name: “Windows Defender”, user_name: “User1234”, this would result in a message summary of: [service error] service_name:Windows Defender | user_name:User1234.
The field placeholders {gim_event_type}, {service_name}, and {user_name} are replaced with their corresponding values from the log message.
Indicator Templates
Indicator templates control the color coding applied to log messages based on field values, providing visual prioritization cues in search results. These templates work by inspecting a specific message field and applying color-based styling according to predefined value arrays, enabling security analysts and operations teams to quickly identify critical events, warnings, and normal operations through visual scanning without reading detailed message content. They include the following fields:
-
type: The unique reference ID to be used by other entities. -
title: A plain language title. -
(Optional)
description: A plain language description. -
indicator: The field in the message to determine what color key to use. -
default_indicator: The color key to use if no matches are found. -
danger/info/primary/success/warning: (for one or more keys) Array ofindicatorfield values that will trigger the message to be displayed in the<key>color.
Consider the following example:
{
"type" : "serviceStateIndicator",
"title" : "Service State Indicator",
"description" : "Set summary font color for different service state events",
"success" : [
"service installed",
"service enabled"
],
"danger" : [
"service error",
"service disabled",
"service removed"
],
"indicator" : "gim_event_type",
"default_indicator" : "info"
}In this example, Graylog checks the value of the gim_event_type field. If the value is service error, service disabled, or service removed, Graylog applies the danger color (red). If the value is service installed or service enabled, Graylog applies the success color (green).
For example, a log message with the fields gim_event_type: "service error", service_name: "Windows Defender", and user_name: "User1234" would appear in the danger color as follows: [service error] service_name:Windows Defender | user_name:User1234.
A log message with the fields gim_event_type: "service enabled", service_name: "Windows Defender", and user_name: "User1234" would appear in the success color as follows: [service enabled] service_name:Windows Defender | user_name:User1234.
Indicator templates support multiple color categories, including danger, info, primary, success, warning, gray, and a default fallback value. These mappings generally follow familiar UI conventions. For example, danger is typically used for errors or harmful changes, success for normal or expected positive states, and warning for conditions that may require attention. The appearance of these colors can be customized globally, and those customizations apply for all users in both light and dark themes.
Color Customization
Customize your desired color selections by navigating to the Enterprise > Customization page. This global customization interface allows administrators to modify the color scheme across the entire Graylog web interface, including the colors applied by indicator templates in message summaries.
Troubleshooting and Common Issues
The following section outlines troubleshooting steps for common issues to assist you in resolving potential challenges you may encounter.
Issue: Templates Not Displaying
Message summaries do not appear in search results even after installing the Illuminate pack.
Solution: Verify Configuration
The Show summary checkbox is disabled in the message widget configuration. Navigate to the widget's edit pane and verify that Show summary is selected in the message widget.
Or, the Illuminate Message Summary spotlight pack is not enabled. Verify that the spotlight back is enabled by navigating to System > Content Packs and confirming the "Default Summary Templates" pack appears.
Issue: Field Placeholders Not Resolving
Summaries display literal text like {service_name} instead of actual field values.
Solution: Verify Fields and Schema Mapping
The log messages may not contain the fields referenced in the template. If your template uses {service_name} but your logs don't have a service_name field, the placeholder won't resolve.
Additionally, field names in the template may not match the actual field names in your logs (case-sensitive mismatch or typos).
Or, your logs aren't using the GIM Schema fields that the default templates expect. The Illuminate templates work with GIM Schema out of the box, so logs without proper GIM field mapping will not display correctly.
Further Reading
Explore the following additional resources and recommended readings to expand your knowledge on related topics:
