Search Results Enhancements

The Graylog search function provides search results enhancements that improve result interpretation and usability after a search is executed. After you set up these features, all relevant query results are displayed with the enhancements.

This article describes the available search results enhancements for Graylog search and provides guidance for their use.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

Highlights

The following highlights provide a summary of the key takeaways from this article:

  • Graylog search results can be transformed using decorators or message summary templates, each operating at the presentation layer without altering stored data.

  • Enhancements do not affect search logic or stored data. They apply only at search time to improve how results are read and interpreted.

  • Favorite fields allow you to determine which fields show at the top of the message detail view so you see important information first.

  • Decorators let you remap, reformat, or enrich how log fields appear in results on a per-stream basis.

  • Message summary templates replace the default results list with structured, scannable summaries using field placeholders and optional color-coded indicators. This feature requires Graylog Illuminate.

How Search Results Enhancements Work

Graylog provides three types of search results enhancements:

  • Favorite fields

  • Decorators

  • Message summary templates

These features transform the way search results are displayed. With careful planning and configuration, you can implement enhancements that make it easier to find relevant information faster.

These enhancements are not directly part of your search queries or logic, but they can be used to transform the view of the data that your queries return.

Add Favorite Fields to Messages

Favorite fields allow you to tag specific fields so that when you view message details in search results, those fields appear at the top of the detail view. Log messages can include many different fields, which can make scanning the results overwhelming at times. Favorite fields let you predetermine fields that you always want to review first.

Hint: Favorite fields are saved per stream. If you use separate streams for different types of data, you can set up different favorite fields to reflect the important data of each stream.

Within the message detail view, there are two ways to add a field as a favorite:

  • Use the field dropdown: Hover over any field name in the list, select the down arrow that appears, then select Add field to favorites.

  • Use the Edit favorite fields button: In the dialog box that opens, select the star by any field name to add it to favorites. Note that this dialog box allows you to add or remove multiple favorites at once. You can also drag fields into your preferred order in the favorites section.

Favorite fields appear in all streams this message belongs to, and the dialog box shows each stream for which the favorite appears, based on routing rules that have been applied.

Decorators Explained

Decorators let you transform how log data appears in search results while preserving the original data unchanged. They enhance data at the presentation layer, such as mapping numeric codes to human-readable labels or reformatting field values. Use decorators when you want to improve readability or add context to search results without modifying stored data.

You configure decorators per stream and can share them among users with stream access, enabling consistent data presentation across organizations. Decorated values exist only in the search results presentation layer and cannot be searched or analyzed — those operations always use the original, stored field data.

Graylog provides multiple decorator types:

  • Pipeline Processor: Applies existing processing pipelines at search time for presentation purposes only.

  • Lookup Tables: Connects a lookup table to enable value conversion from existing data.

  • Syslog Severity Mapper: Converts numeric syslog levels to friendly text strings for easier evaluation.

  • Format String: Combines multiple fields using pattern templates with ${fieldname} syntax. This uses JMTE template syntax for field placeholder resolution.

  • Hyperlink String: Turns a given field into a hyperlink.

Decorators provide flexibility for sophisticated data presentation strategies while maintaining underlying data integrity. For complete information about this search results enhancement, see Decorators.

Decorators Example

Sally, a security analyst, monitors a high-volume stream of syslog messages from network devices. The raw level field displays numeric severity codes in values like 3 or 5. Sally doesn't necessarily know what these numbers mean in each case.

To fix this, Sally uses decorators:

  1. Sally navigates to System > Configurations > Decorators, then clicks Edit configuration.

  2. She selects her network stream and adds a Syslog Severity Mapper decorator from the dropdown menus.

  3. She maps the level field to a new severity field, then clicks Update configuration.

Now, when she runs a search, the results display human-readable labels like Error (3) and Notice (5) instead of raw numbers. Sally can scan results and prioritize critical events at a glance.

Message Summary Templates Explained

Message summary templates replace the default search results list with structured, information-rich summaries. Use message summary templates when you want to scan and compare key fields directly in the results list without expanding individual messages. When a compatible Illuminate Spotlight pack is enabled, field placeholders in the templates are resolved with actual log field values. When Spotlight packs include indicator templates, color coding is applied automatically to visually prioritize events at a glance.

Hint: Message summary templates are delivered via Illuminate and work with the GIM Schema out of the box without modification.

The template system is built on three interconnected entities in a hierarchical relationship:

  • event_type_category: Determines which templates apply based on the gim_event_subcategory field.

  • summary_template: Defines the display format using field placeholders.

  • indicator_template: Controls color-coded styling.

Multiple event categories can share reusable templates, promoting consistency across event types while transforming raw log data into formatted, scannable summaries in your search results list.

For complete information about this search results enhancement, see Message Summary Templates.

Message Summary Templates Example

Sally, a security analyst, is investigating authentication events in Graylog. Without message summary templates, she has to expand each log entry individually to find the user, source IP, and outcome.

Because her organization runs Graylog Enterprise with Illuminate, Sally navigates to Enterprise > Illuminate, searches for Message Summary, and enables the Message Summary Configurations pack. Graylog immediately begins rendering structured summaries directly in her search results list, displaying key fields like:

[authentication failure] user_name:jsmith | source_ip:192.168.1.45

Results are color-coded in red for failures and green for successes. Sally can now scan dozens of events in seconds without opening a single message.

Further Reading

Explore the following additional resources and recommended readings to expand your knowledge on related topics: