Using dashboards allows you to build pre-defined searches on your data so that important information is only a click away.

You need some domain knowledge to write search queries that get the correct results for your specific applications. If you have the required domain knowledge you can define search queries and share them with co-workers, managers, or even sales and marketing departments.

Dashboards include a range of additional features that are not available in saved searches. The main difference is the ability to define Widget specific search criteria, like the query or time range. Dashboards also enable creating multiple tabs for different use cases, displaying the result in full screen mode and as mentioned before, sharing the results with other people.

This guide will take you through the process of creating dashboards and storing information on them. At the end you will have a dashboard with automatically updating information that you can share with anybody or just a subset of people depending on the permissions granted.

Creating a New Dashboard

Navigate to the Dashboards section using the link in the top menu bar of your Graylog web interface. This page lists all dashboards that you are permitted to view. (Permissions will be addressed in a following section). Select the Create new dashboard button to create a new, empty dashboard.
You should now see your new dashboard. Once you have created your dashboard, click the Save as button on the right side of the search bar to save the dashboard.
This will open a modal where you can define a title, summary, and description.

The only required information is the title of the new dashboard. Use a specific title that is not too wordy so people can easily understand what to expect from the dashboard. The description can be a bit longer and could contain more detailed information about the displayed data or how it is collected.

Next, we will be adding widgets to the newly created dashboard.

Adding and Configuring Widgets

You should see an empty dashboard in front of you. Now, let’s add some widgets! You can add search result information to a dashboard with a couple of clicks. Adding widgets to a dashboard works the same way as the main search page does. Have a look at the Widgets page for a more detailed description of different widget types and how to create them.

Widget Specific Search Criteria

As previously stated, the main difference between dashboards and saved searches is the possibility to define widget-specific search criteria.

First, to edit a widget, scroll over the widget in your dashboard and select the Edit button.

Then, you can define your search criteria for the selected widget. This can include the time range, search query, and stream selection, depending on your specific search query.

While the main search bar still exists, it will only allow you to overwrite the widget specific search. While the widget specific search persists, search options configured with the main search bar will not be saved in the dashboard.

Examples

For all the examples, you need to create an empty Aggregation and open the edit modal.

  • Top log sources

    • Example search: *, timeframe: Last 24 hours
    • Select visualization Data Table
    • Add row pivot source
    • Add metric count(source)
    • Select sorting count(source)
    • Save the widget
  • Number of exceptions in a given app today

    • Example search: source:myapp AND Exception, timeframe: Last 24 hours
    • Select visualization Single Number
    • Add metric count()
    • Save the widget
  • Response time chart of a given app

    • Example search: source:myapp2, any time frame you want
    • Select visualization Single Number
    • Add metric avg(response_time)
    • Save the widget

Results

You should now see widgets on your dashboard.

Advanced Field Types

Advanced field types (such as nodes, streams, and inputs) are displayed in dashboards by readable titles rather than their IDs. The search is performed using the id parameter, but the default display is by title, allowing you to analyze your search results more clearly.

Note that the numerical ID is still visible if you hover over a title in the search results. In addition, when writing or editing a query, both title and ID are shown for reference.

Hint: If you change the title parameter, the change will be applied to all dashboards.

Field Type Management

Field types can be changed by selecting Change field type in the drop-down menu presented when you click on any field name in your search results.

  1. Click on Change field type and select a new field type in the menu that appears.

  2. When the new field type is selected, it is changed by default in all index sets of the current message or search. You can choose to limit the change to whichever index you prefer. To do so, click on Show index sets and select the index sets you want to include.

  3. Checking the Rotate affected indices after change option will ensure that the selected indices will be rotated when the field type is changed. In this case the rotation is done immediately without waiting for the end of the rotation cycle.

  4. Note that you can also view the previous field type. It will be listed below the current field type in the menu.

Warning: Changing the field type can have a significant impact on log ingestion. Selecting a field type that is incompatible with the logs you are ingesting could lead to ingestion errors. It is recommended that Failure Processing is enabled and that the Processing and Indexing Failures stream is watched closely afterward.

Use Case

A user has ingested log messages which contain an IP in the client_ip field. This field will be indexed as keyword by default. The user can select this field and change its type to ip in the user interface. After performing the change and the index rotation cycle is complete, the index mapping template will be modified by Graylog so that the client_ip field will be indexed as ip.

Export a Search as a Dashboard

The previous sections describe how to create a dashboard from scratch, but you can also transform an existing search to a dashboard. All you need is to click on the three dots on the right side of the search bar and select the Export as dashboard option. The newly created dashboard is just a draft and you will need to click on the Save as button to create the dashboard permanently.

Widget Cache Times

Widget values are cached in the graylog-server by default. This means that the cost of value computation does not grow with every new device or even a browser tab displaying a dashboard. Some widgets might need to show real-time information (set cache time to 1 second) and some widgets might be updated less often (like Top SSH users this month, cache time 10 minutes) to save expensive computation resources.

Dashboard Permissions

Graylog users in the Admin role are always allowed to view and edit all dashboards. Users in the Reader role are by default not allowed to view or edit any dashboards.

Navigate to Dashboards and click on the dashboard you would like to grant access to. Click on Share and then the drop-down menu under Add Collaborator to grant permission to users or teams.

To learn more please refer to Permissions Management.

That’s It!

Congratulations, you have just gone through the basic principles of Graylog dashboards. Now think about which dashboards to create. We suggest that you:

  • Create dashboards for yourself and your team members
  • Create dashboards to share with your manager
  • Create dashboards to share with the CIO of your company

Consider which information you need access to frequently. What information might your manager or CIO be interested in? Maybe they want to see how the number of exceptions went down or how your team utilized existing hardware better. The sales team could be interested in seeing sign up rates in real time and the marketing team would love you for providing insights into low level KPIs that are just a click away.