How to filter a search?

Development
1

Is there a way to filter gelf messages by some of its fields ?

Search/absolute, Search/relative, Search/keyword all search based on the timestamp created when the gelf got posted on the input.

I want to search based on the timestamps that are in my gelf message not the one created by graylog itself.

I have start_date and end_date fields in my messages and I want to filter my search based on those fields

Is it possible ?

2

you have multiple options

  • save the timestamp from your message in the timestamp field
  • ensure that the timestamp in your message is saved as timestamp (in elasticsearch) now you can search on the time in the field when you for example select search by keyword “one week” and add in the search bar your timestamp field …
3

Hi Jan, thank you for the answer.

Would it be a problem for the timestamp to be from 2016 in your first option ?

4

nope - this might only get a little tricky when it comes to retention. As you might have indices holding data for several years and not only days … but if you keep that in mind.

For Graylog it is not a problem to have data ingested from the past.

5

I see, I’ll keep that in mind.

You’ve been a great help, thank you and have a great day

6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.