Saved Searches

Saved searches let you preserve the full structure of a search so you can run it again without rebuilding it each time. In addition to the query itself, a saved search can retain filters, time ranges, and parameters, making it useful for recurring investigations, dashboard widgets, and shared team workflows.

In this article, we will discuss saved searches in Graylog, including how to create them, manage them, and use them in collaborative workflows.

Saved Searches Explained

Saved searches help you reuse search logic across routine investigations, dashboards, and team workflows. Instead of recreating the same query, filters, and time range each time, you can save the search once and load it when needed. The following examples show common ways saved searches are used in Graylog.

Recurring Investigations

Security teams often review the same types of events on a regular basis. A saved search for failed login attempts with specific field filters and time range settings can be loaded each morning and executed without rebuilding the search. Operations teams can use saved searches in the same way for recurring checks on application errors or service issues.

Dashboards

Saved searches can also serve as the basis for dashboard widgets. When you create a widget that tracks a specific type of activity, the saved search defines which events to include and how the data is filtered. This makes it easier to reuse and maintain search logic across dashboards.

Shared Workflows

Saved searches support collaboration by giving multiple users access to the same search setup. Teams can share saved searches through collections or direct collaboration so that everyone uses the same query logic, field selections, and filters during investigations or reviews.

Parameterized Investigations

Saved searches can include parameters for values that change between investigations, such as usernames or IP addresses. This lets you reuse the same search structure without creating a separate saved search for each variation.

Create a Saved Search

To create and save a search via the Search page:

  1. Enter and submit your search query.

  2. Configure time range, select streams if needed, add any filters, and verify the results match your desired output.

  3. Click the Save button on the right side of the search bar.

  4. Enter a unique title for the search that clearly describes the search purpose. For example, "Failed SSH Logins in the last 24h."

  5. (Optional) Enter any collaboration and sharing options before saving. See Share a New Entity for details.

  6. Click Create new to finalize the saved search.

The saved search now appears in your saved searches list and can be loaded from any search page. All search components, including the query string, time range configuration, stream selections, field configurations, and any parameters you defined, are preserved.

Manage Saved Searches

To load a saved search, click the Load button on the search page and select the desired search from the list. The saved searches dialog displays all searches you have created or that have been shared with you, organized with titles, summaries, and descriptions to help you locate the right one quickly. Use the search box at the top of the dialog to find specific saved searches by name or description.

When you load a saved search, Graylog applies all saved configurations to the current search page. If the search includes parameters without default values, you will see a parameter input dialog prompting you to provide values before execution. Once loaded, you can modify any aspect of the search and execute it immediately, or make changes and save to update the original saved search.

Collaboration and Sharing

Graylog's permissions model requires explicit access grants for collaborators who need to view or modify saved searches. You can configure access during creation or later using the Share button. The following access levels are available:

  • Viewer: Lets you view results without modifications.

  • Manager: Permits editing and potentially deletion.

  • Owner: Adds sharing capabilities and delegation of collaboration management.

For team-based workflows, collections provide a streamlined approach by grouping related saved searches. When you add a search to a collection during creation using the Add to collections section, it becomes accessible to everyone with collection access. This simplifies permission management compared to individual sharing and allows the same search to belong to multiple collections organized by project, investigation type, or team responsibility.

Search Query History

Graylog maintains a query history that captures every search query entered, including those used in event replays and dashboards. This functionality provides a safety net for queries that are not saved, letting you recover and reuse all past searches.

Access query history by clicking the counterclockwise icon at the right of the search bar. The dropdown menu displays your recent queries in descending order from newest to oldest, with auto-complete support to help you find specific past queries quickly. When you select a query from history, it replaces your current query string, letting you execute it immediately or modify it before running.

All queries are stored in the MongoDB database, making your complete query history searchable and accessible across sessions.

Hint: The shortcut Alt+space shows suggestions for a query input. When the input is empty, this shortcut shows query history suggestions. If you already have an input, use Alt+shift+h to prompt suggestions. See Keyboard Shortcuts for information about other shortcuts.

Further Reading

Explore the following additional resources and recommended readings to expand your knowledge on related topics: