The following article exclusively pertains to a Graylog Enterprise feature or functionality. To learn more about obtaining an Enterprise license, please contact the Graylog Sales team.

Graylog's search filters are designed to help you find specific log messages. With the right search syntax, you can build complex queries and mix filter criteria from other filters to refine your results.

You can save a search filter as a snippet, which you can combine with other filters or queries using the AND operator. Search filters let you exercise more control over your searches by allowing you to perform custom actions on your search results.

This article shows you how to add a search filter to your searches, create new filters, save them for future use, and share them with others.

Add a Search Filter

There are two ways to add a filter to a search. You can:

  • Select from your existing filter collection

  • Create a new filter

Select from Existing Filters (“My Filters”)

  1. Click the folder icon next to the Filters button to open your list of saved filters.

  2. Select a search filter from the list.

    • Use the search field to find specific saved searches.

    • Click the drop-down arrow on a filter to expand filter details.

    • Hold Shift to select multiple filters.

After you select the filter, it appears in the search filters bar.

Create a New Search Filter

  1. Click the “+” icon to open the Create Filter dialog box.

  2. Define a search query in the Query field to identify messages you want to match. The query should use the standard query syntax.

  3. (Optional) Give the search filter a title and a description. Although this step is optional, providing this information makes it easy to identify your saved filters.

When creating search filters, save your search filters in the “My Filters” collection. These filters are referenced in subsequent searches, so any changes made to them affect all searches where these filters are used. Inline filters, on the other hand, are saved only for the current search. You can edit inline filters without worrying about affecting other searches.

Save Searches with Filters

You can save searches with filters for future use by clicking the Save button. When saving a search with filters, all filter references persist. Graylog remembers which filters are used in the query and automatically applies them when reloading the search.

Saved filters are useful when you want to quickly investigate a certain problem that occurs sporadically to filter out all irrelevant messages. You can use a saved search filter to generate targeted results rather than creating a new query.

When you share a saved search that includes filters, every user who has access to the saved search can interact with its filters, even when they are referenced.

Share a filter with other users (with your own or managed permissions) to allow them to edit the filter directly.

Share Saved Filters

Shared search filters can be helpful for team collaboration as well as for sharing best practices within an organization. For example, a team may want to share a filter used for troubleshooting purposes with other teams, or an organization might want to share a filter that highlights important log data for all users to see.

To share a saved search filter:

  1. Click the folder icon and select the saved filter you intend to share.

  2. Click the drop-down menu for the selected saved filter, then select Share from the options list.

  3. In the resulting window, search and select the user you intend to share the search filter with, and set their access level.

  4. Click Add Collaborator , then click Update sharing.

Manage Search Filters

Disable and Enable 

To disable or enable filters, click the search filter title check box. A strike-through line indicates that a filter is disabled.

Disabled filters stay in the saved search. 

Exclude and Include from the Result

To exclude the search query of a selected search filter from results, select the search filter to be excluded, expand the drop-down menu associated with the selected search filter, and click Exclude from results.

This selection adds the NOT operator to the search filter query.

Edit Search Filters

You can edit search filters after you apply them:

  1. Click the Edit button from the drop-down menu beside the search filter name.

    Editing a search filter (saved in My filters) affects all searches where that filter is in use. To prevent this, create an inline filter by selecting the Create copy for current search check box.

  2. Update the query, title, and description as necessary.

  3. Click Save to update the filter in My filters.

You can also save already created inline filters to My filters by selecting Save to "My Filters" from the filter's drop-down menu.

Other actions in this menu include:

  • Remove: This option removes a filter from the search.

  • Copy query to clipboard: This option copies a filter query to your clipboard.

Determine Search Filter Usage

The best way to find information on the usage of your filters is to navigate to the My Filters page. You can do so by selecting Enterprise, then My Search Filters. This page provides an overview of all saved searches that reference search filters, including who is using the saved searches, which dashboard widgets utilize the saved search filter, and where they are being used. You can also share, edit, or delete filters from this page.

You can also select a saved search filter to view more details.

If you attempt to edit or delete a saved search query, a pop-up notification appears, informing you that the query is being referenced in a saved search and that changes to the filter affect the search results of the saved search wherever it is referenced.