The time frame selector allows you to pull specific time ranges from your Graylog data and analyze issues that affect your environment. Most importantly, this tool offers multiple ways to filter time ranges. It is found in the upper left corner of the Search page.


This tool helps you to build queries that can perform such actions as:

  • Understanding and responding to data breaches, broken processes, and other security incidents
  • Troubleshooting systems and networks
  • Understanding the behaviors of your users
  • Conducting forensics activities

Time Frame Options

To access the window, click the clock icon. A dialog pops up, offering the following ranges:

  • Relative
  • Absolute
  • Keyword

 

Relative Time Frame Selector

The Relative time frame selector lets you search for messages within time ranges relative to Now or another date of your choosing. This selector offers a wide set of relative time frames that fit most of your search needs, including an All Time option.


Consider how this filter works:

  • The From field allows you to type in values and select units for time via a drop-down menu. You can choose from seconds, minutes, hours, and days. For your convenience, you can click the Preset Times button to access pre-determined times, interpreted in minutes, hours, and days. If you decide to select all messages instead, your dashboard would display data from the date of first ingestion.

  • The Until date allows relative time ranges to end at a specific period instead of default to the current time/date.

Absolute Time Frame Selector

Use the absolute time frame selector when you precisely know the boundaries of your search. This option displays an accordion containing two options:

  • Calendar
  • Timestamp

In the Calendar option, use the hourglass icon to jump from the very beginning of the day (00:00:00.000) to the very end of the day (23:59:59.99).

To understand Calendar in more detail, consider the functions of Until and From:

  • Until defaults to disabling all dates previous to the selected From date.
  • From date will disable all previous dates if you configure a Query Time Range Limit (on the System > Configurations page).

You can use the magic wand icon for both Calendar and Timestamp.

  • In Calendar, the icon updates the Time to the current time but does not modify the date in the calendar.
  • In Timestamp, the icon updates the entire Timestamp to the current date and time.

Keyword Time Frame Selector

Graylog offers a keyword time frame selector that allows you to specify the time frame for the search in natural language like last hour or last 90 days. The web interface shows a preview of the two actual timestamps that will be used for the search.

Here are a few examples for possible values.

  • "last month" searches in between the 1st day of last month to the last day of the current month
  • “4 hours ago” searches between four hours ago and now
  • “1st of April to 2 days ago” searches between 1st of April and 2 days ago
  • “yesterday midnight +0200 to today midnight +0200” searches between yesterday midnight and today midnight in
  • timezone +0200 - will be 22:00 in UTC

The time frame is parsed using the natty natural language parser. Please consult its documentation for details.

Hint: Natty in version 4.2+: From 4.2 on, some errors/irregularities with natty have been addressed. When natty interferes the time part of a query string (e.g. "last Monday"), it uses the reference time. This creates timestamps in the mid of the day which is counter-intuitive and not really expected. Instead, from now on, when natty interferes the time part in a query, this time part gets aligned to the start and end of the day.

Adding Customized Time Range Presets

You can customize keyword time ranges and add them to existing selections. There are two ways to do this.

From the Time Range Selector Menu

  1. In the Time Range Selector menu, click on either Relative, Absolute, or Keyword to select the preset type of your choice.

  2. Enter the desired configuration and click on Update time range.

From the Configuration Menu

  1.  In the configuration interface, click on Configure Presets found at the bottom of the Time Range Selector drop-down menu. Optionally, you can go to System > Configurations and select Edit configuration.

  2. Click on Add option at the bottom of the Search Time Range Presets list. Enter a description and click Update Configuration.

  3. To add more time ranges, click on Add option and edit the new time range. Then click Update configuration.

Managing Customized Time Range Presets

You can rearrange the entries in the list according to priority. Select the lines found at the beginning of the row and drag up or down.

You can also access your customized time range preset in the Time Range Selector drop down menu. There you will see the description that you entered during customization.

Frequently used time ranges can be saved and added to the Search Time Range Presets list. To do so, click the Save as Preset button in the top right corner of the menu. Enter a description and click Save preset. You will be notified if you enter a preexisting time range. In the Time Range Selector, click on Load Preset to retrieve saved presets.