Search Filters

The following article exclusively pertains to a Graylog Enterprise feature or functionality. To learn more about obtaining an Enterprise license, please contact the Graylog Sales team.

Graylog's search filters are designed to help you find specific log messages. With the right search syntax, you can build complex queries and mix filter criteria from other filters to refine your results.

You can save a search filter as a snippet, which you can combine with other filters or queries using the AND operator. Search filters let you exercise more control over your searches by allowing you to perform custom actions on your search results.

This article shows you how to add a search filter to your searches, create new filters, save them for future use, and share them with others.

Add a Search Filter

There are two ways to apply a filter to a search. You can:

  • Select from your existing filter collection.

  • Create a new filter.

Select from Existing Filters (“My Filters”)

  1. Click the folder icon next to the Filters button to open your list of saved filters.

  2. Select a search filter from the list.

    • Use the search field to find specific saved searches.

    • Click the drop-down arrow on a filter to expand filter details.

    • Hold Shift to select multiple filters.

After you select the filter, it appears in the search filters bar.

Create a New Search Filter

To create a search filter from the Search page:

  1. Click the “+” icon to open the Create Filter dialog box.

  2. Define a search query in the Query field to identify messages you want to match. The query should use the standard query syntax.

  3. (Optional) Give the search filter a title and a description. Although this step is optional, providing this information makes it easy to identify your saved filters.

  4. (Optional) Select the Save to "My Filters" checkbox if you plan to reuse this filter.

  5. Select Create filter.

Hint: When creating search filters, we recommend you save your search filters in the “My Filters” collection. These filters can be reused in subsequent searches. However, any changes made to saved filters affect all searches where these filters are used. Inline filters, on the other hand, are saved only for the current search. You can edit inline filters without worrying about affecting other searches.

To create a search filter from the My Filters page:

  1. Select Create filter.

  2. Define a search query in the Query field to identify messages you want to match. The query should use the standard query syntax.

  3. (Optional) Give the search filter a title and a description. Although this step is optional, providing this information makes it easy to identify your saved filters.

  4. (Optional) Enter any collaboration and sharing options. For information about adding collaborators and sharing when creating a filter, see the next section. For information about sharing an existing search filter, see Share Saved Filters.

  5. Select Create filter.

Add Collaboration and Sharing

The Graylog permissions model requires you to grant access to any intended collaborators on an entity. You can share entities with individuals or teams when you create the entity. You can also include the entity in existing collections.

Add Collaborator

Use the Add Collaborator section to share the entity with individual users or teams. You can set a different access level for each collaborator you add.

  1. Enter a search term or scroll the list to find a user or team to add.

  2. Select the access level the user should receive:

    • Viewer: Can view the entity but not make any changes to it.

    • Manager: Can edit any aspect of the entity. For some entities, this access level allows the user to delete the entity.

    • Owner: Has the same permissions as Manager but adds the ability to share the entity with other users.

  3. Click Add Collaborator.

Repeat these steps for each collaborator you want to add. As you add collaborators, they are listed with their access level. You can change the access level or delete a collaborator before proceeding.

Add to Collection

Use the Add to collection section to add the entity to a collection. Enter a search term or scroll the list to find a collection, then select the item to add it. Note that you can add multiple collections in this field. The entity is added to each collection you include. All entities in a collection are shared together when you share the collection.

Hint: When you create an entity, the Add to collections section shows any default collections set via team membership as automatically added. You cannot remove default collections, although you can add additional collections or individual collaborators.

See Collections for information about using collections for sharing and permission management. See Permission Management for complete information about roles and sharing in Graylog.

Save Searches with Filters

You can save searches with filters for future use by clicking the Save button. When saving a search with filters, all filter references persist. Graylog remembers which filters are used in the query and automatically applies them when reloading the search.

Saved filters are useful when you want to quickly investigate a certain problem that occurs sporadically to filter out all irrelevant messages. You can use a saved search filter to generate targeted results rather than creating a new query.

When you share a saved search that includes filters, every user who has access to the saved search can interact with its filters, even when they are referenced.

Share a filter with other users (with your own or managed permissions) to allow them to edit the filter directly.

Share Saved Filters

Shared search filters can be helpful for team collaboration as well as for sharing best practices within an organization. For example, a team may want to share a filter used for troubleshooting purposes with other teams, or an organization might want to share a filter that highlights important log data for all users to see.

To share a saved search filter:

  1. Navigate to Enterprise > My Search Filters.

  2. Find the filter you want to make available to other users, then click Share.

  3. Select users or teams from the drop-down menu.

  4. Select the access level the user should receive:

    • Viewer: Can view the entity but not make any changes to it.

    • Manager: Can edit any aspect of the entity. For some entities, this access level allows the user to delete the entity.

    • Owner: Has the same permissions as Manager but adds the ability to share the entity with other users.

  5. Select Add Collaborator. Review your selections, and add additional collaborators if necessary.

  6. Select Update sharing.

You can also share search filters by using collections, which allow you to include multiple entities together in a single share. To add a search filter to a collection:

  1. Navigate to Enterprise > My Search Filters.

  2. Find the filter you want to add to a collection, then select Manage collection on the More actions menu.

  3. Enter a search term or scroll the list to find a collection to add. Note that you can add multiple collections in this field.

  4. Click Save.

When you share a collection, all entities in the collection are shared. See Collections for complete details.

Review Permissions Management for a full list of permissions available to users and teams in Graylog.

Manage Search Filters

Disable and Enable 

To disable or enable filters, click the search filter title check box. A strike-through line indicates that a filter is disabled.

Disabled filters stay in the saved search. 

Exclude and Include from the Result

To exclude the search query of a selected search filter from results, select the search filter to be excluded, expand the drop-down menu associated with the selected search filter, and click Exclude from results.

This selection adds the NOT operator to the search filter query.

Edit Search Filters

You can edit search filters after you apply them:

  1. Click the Edit button from the drop-down menu beside the search filter name.

    Editing a search filter (saved in My filters) affects all searches where that filter is in use. To prevent this, create an inline filter by selecting the Create copy for current search check box.

  2. Update the query, title, and description as necessary.

  3. Click Save to update the filter in My filters.

You can also save already created inline filters to My filters by selecting Save to "My Filters" from the filter's drop-down menu.

Other actions in this menu include:

  • Remove: This option removes a filter from the search.

  • Copy query to clipboard: This option copies a filter query to your clipboard.

Determine Search Filter Usage

The best way to find information on the usage of your filters is to navigate to the My Filters page. You can do so by selecting Enterprise, then My Search Filters. This page provides an overview of all entities that reference search filter, including saved searches, dashboard widgets, event definitions, and sigma rules. You can also view more details of a saved search filter, share, edit, or delete filters from this page.

If you attempt to edit or delete a saved search query, a pop-up notification appears, informing you that the query is being referenced in a saved search and that changes to the filter affect the search results of the saved search wherever it is referenced.