Multi-threaded Search

When working with enterprise-scale data, every second matters. The longer it takes to analyze data coming in, the longer it takes to find and resolve issues. So the ability to simultaneously explore multiple indicators of compromise is crucial to speeding up analysis.

Graylog’s robust architecture gives you the ability to perform full text queries across millions of log messages in milliseconds. Using a single or multiple input parameters, you can initiate common analyses and visualize the data in a large variety of charts and formats so you can quickly find and resolve issues, threats, outages, and tech support help requests.

It starts with index-on-write and organizing of data with pipelines and streams to ensure the data is already well structured and searches can be limited to only the relevant data set.

The design of Graylog’s data storage and retrieval architecture inherently allows for multi-threaded and distributed search across the environment. Each search uses multiple processors and multiple buffers, then multiplies that threaded search across the number of participating nodes in the cluster. This approach gives much faster results, which allows the analyst to work through the dataset without having to schedule, save, or “walk away” from a search to continue at a later time.

Unlike competing products, there’s no need to learn a custom query language or submit pages of queries to an API to find the data you are looking for. Simply select the fields you want returned, use standard boolean operators to create your search, and specify how you want the data returned: raw data, aggregated data, count, or chart.

If you want to run this search on a regular basis, simply save it and easily share it with teammates. If you see something you want to continuously monitor in your results, or you want reports on these results delivered to your inbox on a regular basis, quickly build dashboards and reports with just a click or two right from the search results.

Enterprise users can build and combine multiple searches into a Search Workflow and review the delivered results on one screen.

FREQUENTLY ASKED QUESTIONS

ARE QUERIES IN GRAYLOG CASE-SENSITIVE?
Sometimes. The full_message, message, and source fields are case-insensitive by default. All other fields are case-sensitive. However, you can modify this default behavior.‍
HOW CAN I EXPORT THE RESULTS OF MY SEARCH?
You can export any search result by simply clicking the More Actions button from the Search page, then clicking Export as CSV. Note that the exported logs will contain only the fields checked on the list below the button. If no fields are checked, the exported file will be empty.‍
DO BOOLEAN OPERATORS (AND, OR, NOT) NEED TO BE CAPITALIZED?
Yes. Operators must be in all caps to be recognized in a query. Operators not in all caps are treated as search strings.