Link to dashboard with parameters in URL

Hello everyone,

I would like to know from the community or from anyone working at Graylog if there are any news on a specific feature, or hope to get it a little more attention.

The feature is being able to pre-fill in a URL to a dashboard parameters such as

  • time range
  • search query / “filter for all widgets”

Having this feature in future versions would be great, even better if it gets into 4.1.

This is possible e.g. for streams, e.g. via URLs like

https://graylog.example.com/streams/09a203b46ed86c190b3756f9/search?q=my_field%3Amy_value&rangetype=relative&streams=09a203b46ed86c190b3756f9&from=300

which searches for my_field:my_value in stream 09a203b46ed86c190b3756f9 for the last 5 minutes.

I cannot find a way to get a similar result for dashboards, e.g.

https://graylog.example.com/dashboards/da1d322abf780dfdd5688971/search?q=my_field%3Amy_value&rangetype=relative&from=300

From what I can understand, dashboards in 4.1 leverage the view APIs to make “queries” for all widgets including dashboard-wide parameters, and these are kept in the state of the dashboard, but there seems no way to initialize that state from a URL, and I am not proficient enough to contribute the feature myself.

I see that this topic has been brought up before, but I would hate to necropost, so I am providing some relevant links. A previous post in the forums is

And I also see an issue on github

I hope that someone can help in giving more visibility to the feature, if it is deemed helpful. I certainly think it is, and would greatly benefit from it.

Hi,

a friend who would have liked this feature too stumbled on an interesting fact. It seems that it is not possible to do what I wanted with saved dashboards but it is possible to do it with saved searches.

It seems that saved searches store widgets, and can initialize their state using an URL, e.g.

https://graylog.example.com/search/a1dcc2731f2a9afdff1879c2?q=my_field%3Amy_value&rangetype=relative&from=300

saved searches, it seems to me, are views just like dashboards, at least from a user perspective. At the cost of sounding pretentious, it looks like saved searches are actually completely equivalent, if not more powerful, than dashboards. I am very interested if someone can comment on the design philosophy behind this, and e.g. if something will be done to “level the field” in a sense, simplifying and reducing redundancy for a user like me.

Hello @gian

If we are talking about the different from Saved Search and dashboards, and from what I read in your above statements you realize that Saved Searches/Dashboard are almost if not the same.

Dashboards: Multiply Widgets put together to form an overview on what’s is important to monitor in that environment. It could be from a search made and copied to a dashboard or something from a saved search. Dashboards have default role/permission for each Dashboard. A user needs to have permissions to see/create it. So each dashboard could be result of individual DMZ’s or one Dashboard to collect what is important for that environment being monitored.

Saved Search: This is more for the individual user, perhaps trying to resolve a issue. Maybe something that can be discarded in few hours/days. If the search has an outcome of being important , perhaps that widget will be saved to a unique dashboard for continuing to monitor that situation on a daily basis. With saved search maybe you want to create a Widget so there is going to be some trial and error going on. On a dashboard this may interrupt the other widgets on that dashboard so it might be best to practice some where else

I agree they seam to be alike. Its the matter how you use them to organize your environment.

Hi,

I understand. My use case, it is true, may not be the most common, but I thought of probing the ground since I am it seems not alone in it, and that maybe I could prove the point of the improvement I am suggesting. In the end, all I would like to see is for a feature that is already present (overriding time and the filter query) to be accessible from the dashboard URL, which is done on a similar feature (searches) using what seems not-so-different machinery onder the hood. The TL;DR ends here!

In the interest of constructive criticism, and if anyone from Graylog takes a look at this post, I would say that the views/searches/dashboard UX come off as a bit unfocused. It looks like to me that maybe Graylog 4 marked a big shift in those concepts, and formalizing them is still in progress. If so, here are some impressions.

The UX suggested by Graylog seems to be that dashboards are answers to questions and these questions generally do not change, so they are not supposed to be interactive. If so, this is in line with other UX designs of this kind. However, it seems that Graylog understands that someone may want to “tweak” questions, and thus provides the ability to “override” some of the details of these questions, most prominently with

  • Adding a “filter” query to all widgets
  • Overriding the time frame for all widgets

moreover, if I understand correctly, an enterprise feature called parameters provides the ability to augment dashboards with tweakable parameters (I suppose to make it easier or possible in cases where juggling queries and overrides would require technical knowledge and/or drive one insane).

You can see that in a way, dashboards being “simple and static” is already mostly out of the window. A power user can already twist and bend a dashboard, and an enterprise power user can do it more. Just to get the cat out of the bag, if the point is having a marketable feature for the enterprise, I can understand and others already went that route, though my impression is that it did them more bad than good in the long run (I am looking at you, Elastic) by poisoning their relationship with users. Here Graylog should be probably more upfront on what the UX it wants is, and if “power dashboards” are an enterprise-only thing, or not, and see how both professional customers and community users react.

On the other hand searches seem to be supposed to be, always from an UX perspective, more of a power tool, which requires more knowledge and maintenance, and may by more powerful, but may be less shareable and understandable to outsiders. Again, this is perfectly fine from a theoretical point, and present in other similar products. The dissonance here is that saved searches are presented almost exactly like dashboards, and seem to use the same tools, but for some reason they are also “made less convenient” for some aspects.

In the end, we are left with two “abstraction flavours” that in some sense share most of the pros but have different cons, and nothing more, calling in question if it makes sense to have them exists like they are now, e.g.

  • Searches lack some of the presentation features of dashboards (e.g. tabs, being a “first class citizen” with their own section") but allow for extensive, even superior customization
  • Dashboards would like to be presentation of data, and maybe nothing more, but still bow their head to giving users some control, but not much
  • Additionally the enterprise “parameter” feature further muddies the water for dashboards, making them a way to answer to a spectrum of questions, and most prominently, making them interactive

These are just honest to heart opinions, I truly appreciate the work the folks at Graylog do, and it lets me do great things for free, so trying to give some suggestions is the minimum I could do, I hope it is clear that I do so without any hard feelings. I just feel that the dashboard/widget/sharing department needs some more attention to make Graylog a better product.

Hello @gian

  • Adding a “filter” query to all widgets
  • Overriding the time frame for all widgets

Just a side note, this can be kind of, sort of, done on dashboards and if you don’t know already Dashboard have “tabs” compared to save searches. This would depend on what you want to do. As you know all things can be improved on and I know it’s a pain when you want to do something but unfortunately you can’t. I have been using Graylog since version 1.2 and throughout the years there have always new improvements. I think the best way for your suggestions about the software would be to post here. Perhaps ask for a feature request…

I agree, in the enterprise version you can achieve more what you want to do and the added features that are highlighted in the enterprise version are great. As you know when there is something new AKA luxury there maybe price tag on it. That is unless you do it yourself.

Just for reference, here is one of many dashboards I have. When using save searches, sometimes there might be multiple browser tabs opened, which is not very quick for us to troubleshoot, then there are times I will get confused on what tab is for what search. So, I created a dashboard for all my INPUTs plus a Tab for searching and watching specific devices. The bonus of this is, we only have one tab opened and makes it quicker for troubleshoot any issue. Everything needed to do my job in one section. As you know all environments maybe different.

Here is an example, and I quote " A picture is worth a thousand words".

Dashboards:

Dashboard Central Command Unit Section (i.e. CIC) /w tab called Windows INPUT.

Below is a tab called Deep Search’s which is basically the global search’s that you would find in “Saved Search”. So basically I created a Dashboard “tab” for Saved searches" :smiley:

And again your suggestion are always welcome. The link I posted above would be the place to go if you have an Idea or feature request. I sure the right people will see it.

Beware of AWS :male_detective:

2018 AWS forked MongoDb -->DocumentDB
2021 AWS forked Elasticsearch → Opensearch
20?? What are they going to do next :thinking:

Hi,

thank you again for your help. I agree that tabs are useful in some cases, but unfortunately mine is not one of them.

To be clear, I have a dashboard showing events and some aggregates for a certain threat scenario, and an automated alert. Whenever the alert identifies a threat, it provides me with a list of actors responsible for it. Punching the actors in the dashboard query I can quickly identify the details of the threat, and decide if extraordinary measures are needed to stop it. That is where the URL would help me: it would allow me to include a link in the alert which pre-fills the query and time range for the detected threat and actors, and get it in my browser faster.

I think I will be solving this with saved searches, in the meanwhile, but will comment the issue on Github just to see it stirs some interest.

Off topic...

I admit I have a penchant for drama, and a part of me watched the disaster unfold with popcorns and all, I hope my comment did not offend anyone, it was more for laughs than everything. I agree that AWS has a worrying history and has in the end probably made the situation worse for everyone (Graylog too) with their actions, hardly being the freedom fighters they pictured themselves to be. I still however personally feel that both MongoDB and Elastic also did defend their interests in the wrong way with very aggressive licensing models which were doomed to elicit a reaction down the line sooner or later, and breed conflict instead of collaboration. I understand the need to defend their role in the market, but as I said, things like the SSPL and Elastic Licence can also poison the well of community adoption and contribution, so I think that a project choosing or transitioning to such models should also accept that for some it may be a strong reason for a fork, or for loosing a community entirely. Sadly this is the case for Graylog too, but I have still to see enough red flags to believe that there is a lack of good faith, so I am just worried, not scared for now!

1 Like

Hello,

This sound familiar to me, perhaps can you enlighten me on this URL with alert. I may have done this already.

Hi, thanks again, I appreciate you continued support!

Sorry for the obscurity, I tried providing some screenshot, but they will inevitably contain a lot of sensitive data, and redacting makes them an unreadable blur. I hope some example and description can further clarify.

Previously my alert told me that e.g. a possible threat was performed by an actor with ID 12345 from 2021-11-26T02:45:04.000Z to 2021-11-26T03:15:04.000Z, and provided me with the URL

https://graylog.example.com/streams/<stream_id>/search?to=2021-11-26T03%3A15%3A04.000Z&q=threat_actor_id:12345&from=2021-11-26T02%3A45%3A04.000Z&streams=<stream_id>&rangetype=absolute

which led to the stream view, which has the list of threat events, but only that and as a kind of raw message list.

To better interpret results, I then made a dashboard for these threat events, which I can access from e.g.

https://graylog.example.com/dashboards/<dashboard_id>

and has aggregations for the threat scenario and a more terse threat event message list (showing only relevant fields). I can access the dashboard, and manually enter

  • The time range shown above
  • The query filter for the suspect threat actor: threat_actor_id:12345

to analyze the event reported by the alert. I would have liked to have the possibility to do something like

https://graylog.example.com/dashboards/<dashboard_id>?to=2021-11-26T03%3A15%3A04.000Z&q=threat_actor_id:12345&from=2021-11-26T02%3A45%3A04.000Z&rangetype=absolute

i.e. provide the from, to, rangetype, q parameters to the dashboard instead of manually filling them in, and get that URL in the alert instead of the one sending me to the stream view or going to the dashboard and manually fill in relevant parameters.

I am now getting a passable result by having a saved search that looks exactly like the dashboard (with aggregation widgets and a terse message table) and using its URL in the alerts like so:

https://graylog.example.com/search/<search_id>?to=2021-11-26T03%3A15%3A04.000Z&q=threat_actor_id:12345&from=2021-11-26T02%3A45%3A04.000Z&streams=<stream_id>&rangetype=absolute

but this means that now I have both a saved search and a dashboard to maintain. An obvious solution is switching to searches and dropping the dashboard, but as we both said, I feel that dashboards are more visible and shareable, and given the similarities I thought that showing the “issue” could help Graylog provide a better user experience by highlighting the redundancy of some features, and the shortcomings of others.

Hello,

Thank you for the reply, I was just curious and see your executing something I haven’t done before I’m learning :smiley:

From my understanding you want the relevant information from the alert and dashboards are not exceeding your expectations? So basically just staying with Save searches?
I have not added a URL to my saved search or dashboards, but depending on the environment, I have done something like this.

http://graylog_server:9000/messages/${message.index}/${message.id}

This shows just the message from the alert, that’s all. perhaps build off that.
I assume you already tried Graylog API’s under Views section? Just an Idea…

That’s about all the info I know on what you want, but I have this bookmark this incase something comes up that would pertains to this post.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.