• 09 Sep 2021
  • 5 Minutes to read
  • Dark


  • Dark

Graylog supports a wide variety of widgets which allow you to quickly visualize data from your logs.A widget is either a Message Table or an Aggregation .This section intends to give you some information to better understand each widget type, and how they canhelp you to see relevant details from the many logs you receive.

A widget can be freely placed inside a query. A widget can be edited or duplicated by clickingon the chevron on the right side in the head of the widget.


Creating a widget

To add a widget for your search or dashboard:

  • Open the sidebar and the Create section.
  • Alternately, you can open the section directly by clicking on the plus sign (+ ).


You can create an empty “Aggregation ”. or a predefined widget by selecting the “Message Table ” or “Message Count”.

Empty aggregation widget:



The goal of an aggregation is to reduce the number of data points in a meaningful way to get an answer from them.Data points can be numeric field types in a message (e.g. a took_ms field which contains howlong a page needed to be rendered). Or string values which can be used for grouping the aggregation(e.g an action field which contains the name of the controller action).

Configuring an aggregation

As describe in the previous section a click on -> will create an empty widget on the very top of the search page.A click on the on the right side of the head will open the widget edit modal.


GROUP BY : This option allows you to “group” your chart by rows and columns.When you create a new group with Group By, the values you selectget rolled up into the result. This result can be presented in avariety of ways. You may present the data as a table, chart,or visualization with color.

At a glance, if timestampis a field attributed to a row it willdivide the data points into intervals. Otherwise the aggregation will takeby default up to 15 elements of the selected field and apply theselected METRICS function to the data points.

Example The timestampfield is aggregated with avg()on took_ms. The column actionwill give the average loadingtime for a page per action for every 5 minutes.

METRICS : METRICS are a collection of functions to aggregate data points.The result of the aggregation depends on the grouping of ROWS and/orCOLUMNS . The data points of a field will be aggregated to the grouping.Example The avg()function will find the average of thenumeric data points took_msaround the configured grouping.

VISUALIZATION : To display the result of an aggregation it is often easier tocompare lots of result values graphically. Area Chart, Bar Chart,Heatmap, Data Table, Line Chart, Pie Chart, Scatter Plot,Single Numberor World Mapcan be used as VISUALIZATION .The World Mapneeds geographical points in the form of latitude,longitude.

SORTING/DIRECTION : The order of the result values can be configured here. SORTING definesby which field the sorting should happen and DIRECTION configuresif it will be ascendingor descending.

INTERPOLATION : Visualizations like the Area Chartand Line Chartsupport different interpolation types.The available interpolation types are Linear, Step-afterand Spline.

EVENT ANNOTATIONS : All viualizations which can display a timeline (Area Chart, Bar chart, Line Chart, Scatter Plot) support event annotations.Each event will be displayed as an entry on the time axis.

Message Table

The Message Table displays the messages and their fields.The Message Table can be configured to show the message fields andthe actual message. The actual message is rendered in a blue font,below the fields.Clicking on a message row opens the detailed view of a message withall its fields.


Value and Field Actions

In the Sidebar and on Data Tables and Detail Message Rows are values andfields visible. By clicking on a value or a field a context menu will beshown where different actions can be executed.

Field actions

Based on the type of the field and where the menu is opened differentField actions are shown when a field name (and not its value) is clicked.


Chart : This will generate a new Widget containing a line chart where the fieldsaverage value is displayed over time. This chart can be taken as anstarting point for a more defined aggregation. This is only possibleon fields from a numerical type.

Show top values : This action will generate a new Widget containing a data tablewhere the fields value are listed in the rows and the countof occurrence will be displayed next to it.This was formerly known as the “Quick Values” action.

Statistics : Here the field values will be given to various statistics functiondepending on the type of the field. The result will be displayedin a Data Table Widget.

Add to table : Add the field to the displayed fields of the message table wherethe Field Actions menu is shown.

Add to all tables : Add the field to the displayed fields of all tables.

Remove from table : Remove the field from the list displayed fields from this table.

Remove from all tables : Remove the field from the list displayed fields from all tables.

Value actions

The value actions produce different results depending on the type of thevalue and where the menu is opened. The following actions can be executed.


Insert into view : This action will open up a modal where a view can be selected.A select-able list of Parameters will be shown from the selectedview and after choosing a parameter a new browser tab will beopened containing the view with the value used in the parameter.This action is only available in enterprise Graylog.

Exclude from results : Will add to the query to exclude all resultswhere the field contains the value of the value action.

Add to query : Will add NOT field:value to the query to filter the resultsadditionally for where the field has the value of the value action.

Use in new query : Will add field:value open a new view tab with as query string.

Show documents for value : Available in Data Tables it will show the documents whichwhere aggregated to display this value.

Create extractor : For values of type string in Message Tables a short cut to createan extractor is given with this action.

Highlight this value : This action will highlight this value for this field in allMessage Tables and Data Tables.

Repositioning and Resizing

Widgets can be freely placed inside the search result grid. You can drag and drop them with the three linesleft to the widget name or you resize them by using the gray arrow in their bottom-right corner.To expand a widget to the full grid width, click on the arrow in its top-right corner.


If you want to expand the view of aggregated data in your Log View widget, go to Focus on the Widget toperform those steps.

Was this article helpful?

What's Next