I can find the Load (and Save) buttons for saved searches in the Search dashboard of Graylog.
But not in a dashboard that I created myself. In the later i can find only buttons:
Save - saves the dashboard
Save as - saves as dashboard as another
I see the saved search action Buttons in the picture.
What I see is the Save button will save the current configuration made to the current Dashboard.
The second Button I see is the Save As to create a new name for the dashboard your currently in.
EDIT: Sorry I missed this question.
Yes, and for example lets say you were searching for Windows EventID’s in 5 minutes this would be how you do that as shown below.
This is how my (user-made) Dashboard looks like - image. As you can see there are no Save/Load buttons for saved searches. There are only Save and Save As buttons for the dashboard itself.
The only place where I can find Save/Load buttons for saved searches is the Graylog Search dashboard. The one you open from the Search link on the Main Menu.
But not in any dashboard I create myself for my Content Pack.
I think I’m understanding the questioned now.
Your looking for Saved Searches on your dashboard, If that’s correct then yes you would have to navigate to your global search in the upper left of the screen and load it from there.
I am not looking to set anything in the Search string of aggregates in my Dashboard.
I am looking to have a Load/Save of the main search in my (!) dashboard.
Is that possible?
The goal is: User searches the dashboard as (ex.):
for DB Access actions: ACTION_NAME:LOGON OR ACTION_NAME:LOGOFF
for DB Access errors: ACTION_NAME:LOGON AND RETURN_CODE!=0
for Data Change: ACTION_NAME:INSERT OR ACTION_NAME:DELETE OR ACTION_NAME:UPDATE
…
and many stuff like that - namely: viewing logs by different categorization based on DB functionality.
The user must be able (as in Graylog Search dashboard) to Save and Load this searches. Because if not, he would have to write it every time from the scratch, and this would seriously undermine the practical usage of the dashboard
What I showed was not a aggregates it was a search in my dashboard showing you that it will effect all widgets within that dashboard sorry if I didn’t make that clear.
When your done with those searches. Click the save Button On the Dashboard.
Unless you want to Copy the current dashboard with a different name Click " Save AS".
Load button is only in Saved Searches. If you require a search within a dashboard that is created already then click the SAVE button. I apologies if I’m not understanding you correct. It confusing when you stated you want to save a search in your dashboard and I can clearly see the SAVE button and no you cant load another dashboard/Saved Search when your within a dashboard you need to either click the Dashboard tab or go to the Search tab and click load.
Hope that helps
EDIT: When you do Click Save button on the dashboard be carful it will over write it and your current configurations maybe be over written.
Just an FYI when i state Widgets those are my saved searches I created so I can move them to different dashboards.
“Load button is only in Saved Searches”
so saved searches are NOT available in user-made dashboards?
I mean in the main search - not talking of each widget.
@gsmith:
Just to make sure I’m understand you correct.
User makes a dashboard
User searches the following DB Access actions: ACTION_NAME:LOGON OR ACTION_NAME:LOGOFF
User want to save that search, user clicks the save button.
Done
Altin:
Third point should be corrected as:
User want to save the dashboard with the last search, user clicks the save button.
User goes to Search tab then the User searches the following DB Access actions: ACTION_NAME:LOGON OR ACTION_NAME:LOGOFF
User Click the Save button there for the user created a saved search.
From that saved search the user can migrate that save search to any dashboard that user wants to.
Altin:
In the third point I do not see any point of saving it (the saved search) as a dashboard. This because in the Graylog Search (menu tab) dashboard the Load/Save includes not only the search time, string and stream, but also all widgets. Thus one can work faster with loading saved searches in the Graylog Search (multiple tabs can be opened also) compared to with multiple user-made dashboards.
I must underline intend to keep the same search for all widgets of a dashboard - which as per docs is the main dashboards feature.
At this point I intend to ask a new question, kind of: “content packs - better use saved-searches or dedicated dashboards”
@gsmith:
Correct me if I’m wrong but I think I’m understanding?
EDIT: after reading over this, Ill be honest it would be nice to Load a save search from the dashboard.
Perhaps posting a feature request
Altin:
I think yes - dashboards must enable load/save of saved searches, at top level, and not only in widgets
100 users collaborate on one dashboard. This dashboard holds different save search’s (in the form of widgets) from each of the 100 users personal collection of Save Search’s. I would use save-searchs in my content pack. For the simple fact I wouldn’t want to loss there personal data. Not only that you can always collaborate on a new dashboard
100 users has 100 individual dashboards and no Save Search’s then I would use dedicated dashboards in my Content pack. Since users are only creating dashboards which is a form of a save search.
EDIT: Just to be clear, A dashboard are a collection of search’s in one spot for better clarity without loading different Saved Search’s.
lets say I want to know if a user fails logon a Linux machine, remote connect was made on a device and a Windows Directory operation was performed. All these have there own stream, there own index and search criteria. This is what that dashboard would look like.
Each of the Widgets you see on that dashboard come from a Global search that was saved then migrated to a collaborated Dashboard ( multiply users added or subtract searches). As shown below is an example of one of those widgets ( i.e. saved search’s). You will noticed there is a specific stream connected to this widget, on this dashboard.
In short:
There are no saved searches loaded/saved in user made dashboards for the main search (not the wigets). This feature is available only on Graylog Search dashboard (the one opened by the Search link on main menu).
