Graylog allows you to customize search query options, such as limiting the time range you can select or configuring the list of displayed relative time ranges.
All search configuration settings can be customized using the web interface on the System > Configurations page in the Search section.
Query Time Range Limit
Sometimes the amount of data stored in Graylog is quite big and spans a wide time range (e. g. multiple years). To prevent accidentally running search queries that could use too many resources, you can limit the time range that searches can run in.
Using this feature, the time range of a search query exceeding the configured query time range limit will automatically be adapted to the given limit.
The query time range limit is a duration formatted according to ISO 8601 following the basic format P<date>T<time> with the following rules:
|
Designator |
Description |
|---|---|
|
|
Duration designator (for period) placed at the start of the duration representation |
|
|
Year designator that follows the value for the number of years |
|
|
Month designator that follows the value for the number of months |
|
|
Week designator that follows the value for the number of weeks |
|
|
Day designator that follows the value for the number of days |
|
|
Time designator that precedes the time components of the representation |
|
|
Hour designator that follows the value for the number of hours |
|
|
Minute designator that follows the value for the number of minutes |
|
|
Second designator that follows the value for the number of seconds |
Examples:
|
ISO 8601 duration |
Description |
|---|---|
|
|
30 days |
|
|
1 hour |
|
|
1 day and 12 hours |
More details about the format of ISO 8601 durations can be found here.
Time Range Presets
The list of time ranges displayed in the Relative Time Frame Selector can be configured, too. It consists of a list of ISO 8601 durations that you can select on the search page.
Search Result Highlighting
Graylog supports search result highlighting:
Enabling/Disabling Search Result Highlighting
Using search result highlighting will result in slightly higher resource consumption of searches. You can enable and disable it using a configuration parameter in the graylog.conf
allow_highlighting = true
View Query String History
Graylog enables you to search through your recent query string history to retain queries you have used in other event replays and dashboards. The search bar supports auto completion and will display relevant search queries you have entered in the past. When clicked on, these queries will replace the current query string.
The search query history button is found at the end of the search bar, to the right of the light bulb icon. All queries are saved to the database, making it possible to search through past queries via the drop-down menu that appears when you click on the Search History button. Previous searches are listed in descending order from most recent to oldest.
alt-space shows suggestions for a query input. When the input is empty this will show query history suggestions. If you already have an input use alt-ctrl-h.
The query string history feature enables you to filter through previous searches and reuse one of them. This functionality is also present in dashboards and widgets. Queries are scoped by user, so no one else sees your queries, but they are shared between dashboards. Please refer to Saved Searches for more details.
