Saved Searches

Graylog provides saved search functionality to allow for easy access to previous search criteria. For example, if you frequently need to search through web requests made the day before, then you may benefit from saving this search rather than entering the criteria each time. You can also use saved searches as a building block for dashboards.

Create Saved Searches

You can save a search via the Search page:

  1. Enter and submit your search.

  2. Click the Save button on the right side of the search bar.

  3. Enter a unique title for the search.

  4. (Optional) Enter any collaboration and sharing options. See Add Collaboration and Sharing for details.

  5. Click Create new.

saved_search_create_v2

Load and Manage Saved Searches

To locate a previously saved search, click the Load button and select the saved search from the list as seen below. You can also delete a saved search through this dialog box.

To update a previously saved search:

  1. Click Load and select the desired saved search from the list.

  2. Edit the search results. You may add new fields for a message table, add new widgets, or define a different search query.

  3. Click Save.

You may change the search title through this dialog box and also click the Save as button to create a new saved search without modifying the original saved search.

To update collaboration options, select the Share button. Use Manage collections on the More menu to add an existing saved search to a collection.

Add Collaboration and Sharing

The Graylog permissions model requires you to grant access to any intended collaborators on an entity. You can share entities with individuals or teams when you create the entity. You can also include the entity in existing collections.

Add Collaborator

Use the Add Collaborator section to share the entity with individual users or teams. You can set a different access level for each collaborator you add.

  1. Enter a search term or scroll the list to find a user or team to add.

  2. Select the access level the user should receive:

    • Viewer: Can view the entity but not make any changes to it.

    • Manager: Can edit any aspect of the entity. For some entities, this access level allows the user to delete the entity.

    • Owner: Has the same permissions as Manager but adds the ability to share the entity with other users.

  3. Click Add Collaborator.

Repeat these steps for each collaborator you want to add. As you add collaborators, they are listed with their access level. You can change the access level or delete a collaborator before proceeding.

Add to Collection

Use the Add to collection section to add the entity to a collection. Enter a search term or scroll the list to find a collection, then select the item to add it. Note that you can add multiple collections in this field. The entity is added to each collection you include. All entities in a collection are shared together when you share the collection.

Hint: When you create an entity, the Add to collections section shows any default collections set via team membership as automatically added. You cannot remove default collections, although you can add additional collections or individual collaborators.

See Collections for information about using collections for sharing and permission management. See Permission Management for complete information about roles and sharing in Graylog.

Search Query String History

Graylog enables you to search through your recent query string history to retain queries you have used in other event replays and dashboards. The search bar supports auto completion and displays relevant search queries you have entered in the past. When selected, these queries replace the current query string.

The search query history button is at the right of the search bar, represented with a counterclockwise arrow icon. All queries are saved to the Mongo database, making it possible to search through past queries via the drop-down menu that appears when you click the icon. Searches are listed in descending order from newest to oldest.

Hint: The shortcut alt-space shows suggestions for a query input. When the input is empty, this shortcut shows query history suggestions. If you already have an input, use alt-shift-h to prompt suggestions. See Keyboard Shortcuts for information about other shortcuts.