Add button to message panel: "Show all messages within +- X seconds"

A few weeks ago I introduced Graylog at my work and so far my team is very satisfied with it. Our setup deals with approx. 1000 msg/s. However there is one missing piece of functionality which would make the life of my team much easier.

Often we spot a problem by searching for messages of severity Error. In order to understand the cause of an Error, we have a look at all (i.e. no message filter is active) other log messages around the same time. Hence always the following procedure starts:

1. We copy the timestamp of the Error message to the clipboard.

2. We clear the message filter.

3. We select the absolute time search.

4. We paste the timestamp to the From as well as to  the To placeholder field.

5. We substract from the From time a few seconds.

6. We add to the To time a few seconds.

7. We click on "Search" and inspect the result in order to understand what caused the Error.

 

I would suggest to add a new button to the message panel:

"Show all messages within X seconds" where one would also need to add an input field for specifying X.

 

Alternatively the new functionality could be integrated to the "Actions" pulldown menu: Just add a new item "Show all messages within" with belonging sub-items: 1 second, 3 seconds, 10 seconds, ...

 

Keep on with the great work !!!

  • Guest
  • Apr 4 2017
  • Shipped
  • Attach files
  • Rafael Otten commented
    April 4, 2017 20:49

    Can this feature request also add the functionality so we can filter out servers or use only logging from a specific one.

    By doing time only searches, results from all servers would still be included and this creates a lot of additional “noise”.

     

  • Adrian Robert commented
    April 4, 2017 20:49

    [Comment originally from Github page that addresses this]:

    We could have the cake and eat it too by building the 'surrounding' or '+/- x seconds' functionality into the existing time search specifier widget.  A third option besides 'relative to now' and 'absolute' would be added: "relative to time".  This option would allow specifying an absolute time point and then relative windows backward and forward (either with sliders or dropdowns). Then a button could be added to the message detail panel (or even the results table row) "Show surrounding messages" which simply prefills that "relative to time" part of the search form.

  • Kieran Caplice commented
    April 4, 2017 20:49

    We're in a similar position to the OP, and this feature not being in Graylog at the moment is a deal breaker. It's the specific thing we're looking for in log management software.

  • Gabriel Netto commented
    April 4, 2017 20:49

    This seems like an easy to add functionality that would decrease the time it takes to search for the cause of an issue. Really hoping this can be added, I would take a crack at it if my manager would give me permission to spend the time.

  • Alexander von Gluck IV commented
    April 4, 2017 20:49

    This is the #1 feature all of our developers miss coming from logentries.

  • Guest commented
    April 4, 2017 20:49

    This dovetails into event cross correlation.  essentially search for all events which occur with in 5 minutes of each-other containing the same IP address.  +1

  • Admin
    Lennart Koopmann commented
    April 4, 2017 20:49

    I am happy announce that this was released in v2.0 final yesterday! :) Closing this idea.