Graylog Enterprise, Graylog Security
Search Parameters
Companies are often striving to do more with less while responding to pressure to keep services running, improve and maintain high performance expectations, and prevent errors before they happen. Routine, relatively simple investigations of performance and security issues often require multiple searches and data sets to find the necessary answers. Each investigation starts with a different input parameter or parameters (source IP, destination IP, user ID, etc.).
Graylog’s Search Parameters make this process fast. Using a single or multiple input parameters, you can initiate common analyses and visualize the data in a large variety of charts and formats so you can quickly find and resolve issues, threats, outages, and tech support help requests. By saving parameterized searches, you make repetitive tasks and routine investigations efficient, you ensure consistency, and you can empower less technical members of the team.
How it Works
Start with one or more input parameters so you don’t have to copy and edit an old query just to change an ip address, mac address, user idSearch parameters live inside Graylog queries and saved searches. Think of search parameters as placeholders for the values you’re investigating and wanting to track, for tasks you need to do more than once, and/or saved searches you want to share with other members of the team or with other departments., etc.; and even chain queries together so the results of one search become the input parameter to the next.
Search parameters eliminate the need to build big queries to investigate or monitor items that vary (e.g., ip address, mac address, user id, etc.). By saving parameterized searches for those regular issues that come up, ensures that team members are running the same search every time it runs and as a result, they can support, monitor, investigate, systems with confidence and speed.
Search Parameters paired with Search Workflow make it possible to build and combine multiple searches for any type of analysis into one action and review your delivered results on a dashboard-like screen(or multiple tabs for really complex tasks). Best of all, you can easily save and share these parameterized Search Workflows to ensure consistency, save time and empower more junior team members.
Examples
Tasked with developing new apps fast to meet the needs of a growing user base, developers often don’t have the necessary time to thoroughly debug and test their work. By creating parameterized searches targeting known potential problem areas, newer members of the team can be active participants in the development process.
Security teams investigating threats often run into scenarios with multiple choices for specific values (e.g. ip address, mac address, user id, etc.). This is where search parameters can really come in handy by optimizing the search for real-time answers. The team creates a query using a parameter instead of a specific value and quickly gets to the root cause of any issues by eliminating the potential causes using the same script and changing the parameter.
IT Ops are always tasked with monitoring system performance, often on a 24x7 basis. 99% of the time, the team is looking at the same data. To make their job easier and free up time for other tasks, the team created a library of parameterized searches that everyone can work from. By having everyone work from the same set of scripts, the data is consistent and accurate and the team members are confident that the results they are viewing and reporting on.
Frequently Asked Questions
Do I have to write a query before I can create a Parameter?
Yes, you have to write your query first, and then you can create your search parameter.
Can I update and add/delete parameters in a saved search?
Once you’ve saved your search it is easy to modify it. Just don’t forget to save your changes to make sure they show up the next time you run the search. If you want to maintain the original search, you can make your edits and when saving, rename the search.
How many Parameters can I set?
Unlimited, but we recommend keeping it to between one and 3. After that you’ll be creating such complex queries that you’re unlikely to return any data, let alone meaningful data.
