Time Frame Selector

The Time Frame Selector is a fundamental search control that determines which time window Graylog searches. Time range selection directly impacts whether results are returned. A valid query returns zero results if the selected time range does not include the relevant events.

Time range selection controls three critical aspects of search behavior:

  • Search Scope Limitation: Graylog only examines messages within your specified time window. Events outside this range are excluded from results, regardless of query accuracy.

  • Query Boundaries: Administrators can configure maximum time range limits to prevent resource-intensive searches. Searches exceeding these limits are automatically reduced to the configured maximum.

  • Data Retention Constraints: Searching beyond your data retention period returns incomplete or empty results. Graylog cannot search data that has been removed from the system.

This article explains how to select appropriate time ranges for different investigation types, avoid common pitfalls that produce empty or misleading results, and understand how time boundaries interact with data retention, administrator limits, and timezone settings.

Time Range

A time range defines the specific window of time where Graylog looks for matching messages. Every search in Graylog requires a time range, whether explicitly selected or by the system default. Understanding how to work with time ranges is fundamental to effective log analysis.

This section covers the types of time ranges available (relative, absolute, and keyword-based), how each type behaves, and when to use each.

Relative Time Range

The relative time range selector searches for messages within a time range relative to the current or specified time. It provides predefined relative ranges to support common search scenarios, including an All Time option.

For example, you can search for messages from all time up to the current time.


The From field lets you define the starting point for a relative time range by entering a value and choosing a unit of time from a dropdown menu. Available units include seconds, minutes, hours, and days. In the web interface, you can also choose from preset time ranges using the dropdown next to the clock icon, which makes it faster to apply commonly used options. If you select all messages, the dashboard displays data starting from the earliest message ever ingested into Graylog.

The Until field lets you define when the relative time range ends. Instead of always ending at the current date and time, you can set the range to stop at a different point in time. This is useful when you want to examine a relative period that does not extend all the way up to the present moment.

This type of time range is especially useful for real-time monitoring, active troubleshooting, and ongoing investigations because it gives you a flexible way to focus on the most relevant recent data while still controlling the exact window you want to review.

Absolute Time Range

An absolute time range defines a fixed beginning and ending timestamp that does not change over time. For example, you might search from 2026-02-20 14:30:00 to 2026-02-20 15:45:00. This option is useful when you need to examine activity during a precise window, such as a known outage, alert, or incident.

This option displays an expandable section with two ways to set the range: Calendar and Timestamp. In the Calendar option, you can use the hourglass icon to quickly set the range from the beginning of a selected day at 00:00:00.000 to the end of that day at 23:59:59.99. Within this view, the Until field automatically prevents you from selecting dates earlier than the chosen From date. The From field can also be limited by any configured query time range limit on the Search page, which prevents users from selecting dates earlier than the allowed range.

You can use the magic wand icon for both Calendar and Timestamp.

  • In Calendar, the icon updates the Time to the current time but does not modify the date in the calendar.
  • In Timestamp, the icon updates the entire Timestamp to the current date and time.

Absolute time ranges are especially useful for historical analysis, incident documentation, forensic review, and report generation because they let you examine a specific, unchanging window of time.

Keyword Time Range

Keyword-based time ranges provide quick access to commonly used time windows through natural‑language expressions like: today, yesterday, this week, and last week.

This option allows you to specify the time frame for the search in natural language like last hour or last 90 days. The interface shows a preview of the two actual timestamps that will be used for the keyword search.

Here are a few examples for possible values.

  • Last month searches in between the 1st day of last month to the last day of the current month
  • 4 hours ago searches between four hours ago and now
  • 1st of April to 2 days ago searches between 1st of April and 2 days ago
  • Yesterday midnight +0200 to today midnight +0200 searches between yesterday midnight and today midnight in timezone +0200 which will be 22:00 in UTC

This option is well suited for daily operational reviews, weekly summaries, and routine checks because it makes it easy to work with commonly used time periods.

Hint: The time frame is parsed using the natty natural language parser. Please consult its documentation for details.

Add Customized Time Range Presets

You can customize keyword time ranges and add them to existing selections. There are two ways to do this.

From the Time Range Selector Menu

  1. In the Search Time Range menu, select either Relative, Absolute, or Keyword for the preset type of your choice.

  2. Enter the desired time range values and click Update time range.

From the Configuration Menu

  1.  In the Search Time Range menu, click the Load Preset drop-down menu and select Configure presets found at the bottom of the menu options. Optionally, you can go to System > Configurations > Search and click Edit configuration.

  2. Click Add option at the bottom of the Search Time Range Presets list.

  3. Enter a description and click Update Configuration.

  4. To add more time ranges, click Add option and edit the new time range. Then click Update configuration.

Manage Customized Time Range Presets

You can rearrange the entries in the list according to priority. Select the dots found at the beginning of the row and drag up or down.

You can also access your customized time range preset in the Time Range Selector drop down menu. There you will see the description that you entered during customization.

Frequently used time ranges can be saved and added to the Search Time Range Presets list. To do so, click the Save as Preset button in the top right corner of the menu. Enter a description and click Save preset. You will be notified if you enter a preexisting time range. In the Time Range Selector, click Load Preset to retrieve saved presets.

Search Workflow

The Time Frame Selector appears in the upper left corner of the Search page, alongside:

  • Query input field

  • Stream selector

  • Search execution button

The search workflow is a combination of these components: Time Range (when to search), Stream Selection (where to search) and Query (what to search for). All three components must be correctly configured to produce accurate results.

Search Execution Order

  1. Select time range: Define when to search before constructing queries

  2. Choose streams: Identify which data sources to search

  3. Build query: Construct search terms and filters

  4. Execute search: Run the search within your defined parameters

Time Frame Selector Examples

The following examples show how the time frame selector affects search results in realistic investigation scenarios. Each example illustrates how choosing the right time range helps you return the data you actually need, while the wrong choice can hide important context or exclude the relevant events entirely.

Example 1: Failed Login Investigation

Sally, a security analyst, is told that several failed login attempts were reported at 2:00 PM. To investigate, she sets an absolute time range from 1:45 PM to 2:15 PM and runs the query event_type:failed_login. This gives her a complete view of the activity before, during, and after the reported incident. If Sally were to run the same query later using a relative range such as last 5 minutes, she would likely see no results because the failed logins happened earlier and no longer fall within that window.

Example 2: Application Error Pattern Analysis

Marcus, an IT analyst, wants to understand whether a Windows application has been generating repeated errors over the past week. Instead of focusing on a narrow recent window, he uses a relative time range of last 7 days and runs the query message:error AND application_name:windows. This helps him review the full pattern of errors across the week and spot whether the issue is recurring. If Marcus used a shorter range such as last 1 hour, he would see only the most recent errors and might miss the broader pattern that explains the issue.

Example 3: Security Incident Timeline

Priya, a security analyst, needs to document a suspicious activity incident for compliance review. She sets an absolute time range from 2026-02-15 08:00:00 to 2026-02-15 18:00:00 UTC and runs the query source_ip:192.168.1.100 AND event_type:suspicious_activity. Because the time range is fixed, the results remain stable and can be reviewed again later with the same outcome, which is important for reporting and documentation. If Priya used a relative range such as yesterday, the meaning of that range would shift from day to day, making the results less reliable for formal records.

Further Reading

Explore the following additional resources and recommended readings to expand your knowledge on related topics: