Search configuration in Graylog controls how search behaves across the environment. These settings let administrators manage the balance between usability and performance by limiting broad queries, defining available time range and refresh options, and controlling certain analysis features in the interface. Some search settings are configured in the Graylog web interface, while others are defined in the server configuration file. Together, these options help standardize the search experience and reduce the risk of expensive queries affecting system performance.
Search behavior in Graylog is configured in two primary locations:
-
Graylog interface: Settings under System > Configurations > Search control search options available to users in the Graylog interface.
-
Server configuration: Settings in the server.conf file control backend search behavior and performance-related features that require node-level configuration.
In this article, we will discuss the search configuration options available in Graylog and how they affect search behavior in both the web interface and server configuration.
Graylog Interface Configuration
The Search Configuration page contains global configuration settings that determine how you interact with search across the web interface. Navigate to System > Configurations > Search to configure search settings in Graylog.
The following configuration settings are adjustable via the interface:
-
Query Time Range Limit: Limits how far back in time users can search. This helps prevent overly large queries that could affect performance. If a search exceeds the configured limit, Graylog automatically adjusts the time range to match the maximum allowed. See the following section for more information.
-
Cancellation Timeout: Sets how long a search can run per widget before it is automatically stopped. This helps prevent long-running queries from consuming resources.
-
Search Time Range Presets: Defines the preset time ranges displayed in the Relative Time Frame Selector on the search page. This setting controls which relative time range options users can select in the web interface.
-
Surrounding Search Filter Fields: Specifies which fields are used when expanding a message to view surrounding log entries. This determines how related messages are grouped.
-
UI Analysis Disabled for Fields: Lists fields where UI-based analysis features, such as quick values or charts, are disabled. This is typically used for large text fields to improve performance.
-
Surrounding Time Range Options: Defines the available time intervals for viewing surrounding messages. This controls how much context is shown before and after a selected log entry.
-
Auto-Refresh Interval Options: Specifies the selectable refresh intervals for automatically updating search results, such as every five seconds or one minute.
-
Default Auto-Refresh Interval: Sets the default refresh rate applied when auto-refresh is enabled.
Query Time Range Limit
This setting limits how far back in time you can search, and it prevents overly large queries that could impact performance. When a search query exceeds the configured limit, Graylog automatically adapts the time range to match the configured maximum.
The query time range limit is a duration formatted according to ISO 8601 following the basic format P<date>T<time> with the following rules:
|
Designator |
Description |
|---|---|
|
|
Duration designator (for period) placed at the start of the duration representation |
|
|
Year designator that follows the value for the number of years |
|
|
Month designator that follows the value for the number of months |
|
|
Week designator that follows the value for the number of weeks |
|
|
Day designator that follows the value for the number of days |
|
|
Time designator that precedes the time components of the representation |
|
|
Hour designator that follows the value for the number of hours |
|
|
Minute designator that follows the value for the number of minutes |
|
|
Second designator that follows the value for the number of seconds |
Query Time Range Limit Examples
The following examples show how ISO 8601 duration values are written when configuring the query time range limit.
|
ISO 8601 duration |
Description |
|---|---|
|
|
30 days |
|
|
1 hour |
|
|
1 day and 12 hours |
More details about the format of ISO 8601 durations can be found here.
Server Configuration
These settings control backend search behavior and performance characteristics and can be modified in the Graylog configuration file.
The following configuration settings are adjustable via the server configuration file:
-
Search Result Highlighting: Controls whether matching terms are highlighted in search results. This option is disabled by default. Enabling it slightly increases resource consumption. To enable or disable it, set the
allow_highlightingconfiguration parameter inserver.conftotrueorfalse. -
Leading Wildcard Search: Controls whether leading wildcard searches, such as
*error, are allowed. This option is disabled by default because it can increase memory use and slow query performance by requiring a full index scan. To enable or disable it, set theallow_leading_wildcard_searchesconfiguration parameter inserver.conftotrueorfalse.
Further Reading
Explore the following additional resources and recommended readings to expand your knowledge on related topics:
