Graylog allows customizing the options allowed to search queries, like limiting the time range users can select or configuring the list of displayed relative time ranges.
All search configuration settings can be customized using the web interface on the System -> Configurations page in the Search configuration section.
Query Time Range Limit
Sometimes the amount of data stored in Graylog is quite big and spans a wide time range (e. g. multiple years). In order to prevent daily users from accidentally running search queries which could use up lots of resources, it is possible to limit the time range that users are allowed to search in.
Using this feature, the time range of a search query exceeding the configured query time range limit will automatically be adapted to the given limit.
The query time range limit is a duration formatted according to ISO 8601 following the basic format
with the following rules:P<date>T<time>
Designator |
Description |
---|---|
|
Duration designator (for period) placed at the start of the duration representation |
|
Year designator that follows the value for the number of years |
|
Month designator that follows the value for the number of months |
|
Week designator that follows the value for the number of weeks |
|
Day designator that follows the value for the number of days |
|
Time designator that precedes the time components of the representation |
|
Hour designator that follows the value for the number of hours |
|
Minute designator that follows the value for the number of minutes |
|
Second designator that follows the value for the number of seconds |
Examples:
ISO 8601 duration |
Description |
---|---|
|
30 days |
|
1 hour |
|
1 day and 12 hours |
More details about the format of ISO 8601 durations can be found here.
Relative Time Ranges
The list of time ranges displayed in the Relative Time Frame Selector can be configured, too. It consists of a list of ISO 8601 durations which the users can select on the search page.
Search Result Highlighting
Graylog supports search result highlighting:
Enabling/Disabling Search Result Highlighting
Using search result highlighting will result in slightly higher resource consumption of searches. You can enable and disable it using a configuration parameter in the
of your Graylog nodes:graylog.conf
allow_highlighting = true