In this in this video, we will go over the Extended Search feature, a unique Graylog function that allows you to analyze data as quickly as possible.
HOW DOES THE EXTENDED SEARCH FUNCTION IN GRAYLOG WORK
The “Extend search” menu is found underneath the “Enterprise” menu. As you can see, the “Time Frame” option has not changed, and still allows you to pick relative or absolute times. In the next column on the right, you can pick individual streams to filter your logs. Once you select one of them, you’ll notice that all the data below will change.
ADDING AND EDITING WIDGETS
Now, you can add a few widgets by clicking on the “Fields” menu and selecting a proper filter. Once you’ve chosen a certain field, you can click on “Aggregate” to put up a new widget containing a breakdown of all data coming from that field on your dashboard. These widgets can be moved freely by dragging and dropping them around.
You can also edit these widgets. For example, you can make them more colorful. Go ahead, and click on “Edit” to open a new window. By clicking on “Visualization type,” you can change them into pie charts, bars, or graphs so it’s easier to browse your data and understand it.
ADDING A NEW TAB
In the Graylog Extended search function, you can also add second tabs. For example, we want to add a new AWS tab where we can look at the cloud trail logs. After adding a widget to check the most utilized regions, we also want to create a way to quickly this information upon entering the dashboard.
In version 3.1, you can add parameters to achieve this goal. For example, type aws_region:$AWS$ to add a variable. As you hit enter, an error warning will come up asking you to define some undeclared parameters. By clicking on the “Declare parameters” button, a new window will pop up where you can provide all the necessary details.
Now, if you go back to the “Parameters” tab on top, you can select the AWS parameter and type the name of your region to only focus on the U.S. West logs (for example). This is a simple and easy way to create standardized dashboards if you run investigations around IP addresses, user names, or hostnames. Every time you come back to this dashboard, just type the parameter you’re looking for, and all your widgets will filter the information for you.
Once you’re done with this search, just save everything off by clicking on “View actions,” and this dashboard will show up in your Views which is described. Thank you for watching and happy logging!