Outgrown Your Free Graylog? | 6 Reasons to Upgrade |  Learn more >>>

Free Tools
See Demo
Free Tools
See Demo

Search Workflows

The ol’ 80/20 rule: about 80% of the time you are running the same analyses over and over again, especially if you are an MSP, MSSP, or MDR. Whether you’re trying to track down a particular user session to figure out what went wrong or you were alerted to a potential threat and need to do some threat hunting, you need to gather the same types of data every time, and then keep going from there based on the results.

With Graylog’s Search Workflow, you can build and combine multiple searches for any type of analysis into one action and review your delivered results on a dashboard-like screen(or multiple tabs for really complex tasks).

Best of all, you can easily save and share Search Workflows to ensure consistency, save time and empower more junior team members.

HOW IT WORKS

Start with one or more input parameters so you don’t have to copy and edit an old query just to change an ip address, mac address, user id, etc.; and even chain queries together so the results of one search become the input parameter to the next.

To keep your search results lightning fast, be sure to set up pipelines and streams correctly so you can easily limit your search to only relevant data. From there you can build your Search Workflow by adding one or more extended searches and specifying the type(s) of input parameter(s) an analyst should initiate the search with. For repetitive tasks, save and share your search workflow for later reuse.

Just like dashboards, you can drill-down into the charts produced by your search workflow and even turn the results into a dashboard with just a click or two.

EXAMPLES

  • Tracking authentications across multiple platforms is a natural fit for Views as you can filter multiple streams with the userid. Imagine the operations team using a shared View where they can see the successful authentications, lock-outs, and failed authentications for your primary IAM, VPN, EDR, and SAML gateway all in one place by entering a single parameter.
  • Network operations teams will be able to easily leverage Views for tracking user or workstation movements. Need to investigate wireless DHCP usage? Enter a MAC address, and the relevant workstation information can be populated from AD, DHCP, and NAC/wireless.
  • Need to audit AD? You can use a View that pivots around group membership and group creation. Views support multiple parameters, so building tabs that cover both Users and Groups would follow nicely.
  • Security analysts can use parameters to track users or devices that are bridging the Trust/Untrust gap, or devices that are at risk of mixing auditable data with “out of scope” data.

FREQUENTLY ASKED QUESTIONS

  • DO SEARCH WORKFLOWS REPLACE DASHBOARDS?
    To keep your search results lightning fast, be sure to set up pipelines and streams correctly so you can easily limit your search to only relevant data. From there you can build your Search Workflow by adding one or more extended searches and specifying the type(s) of input parameter(s) an analyst should initiate the search with. For repetitive tasks, save and share your search workflow for later reuse.
    Search workflows, on the other hand, are meant for retrieving specific data around a particular incident. While the structure of the workflow may remain the same for many tasks, the starting input and resulting output will change each time. They can also be used for one-time research needs without cluttering up your Graylog console, but should you identify something that needs regular review it is just a click or two to turn a search workflow into a dashboard.
  • HOW MANY PARAMETERS CAN YOU SET?
    Unlimited, but we recommend keeping it to between one and 3. After that you’ll be creating such complex queries that you’re unlikely to return any data, let alone meaningful data.
  • WILL A SEARCH WORKFLOW WORK IF THE USER IS ALLOWED ACCESS TO ONLY SOME OF THE STREAMS USED BY IT?
    Yes, the search workflow will continue to work, but depending on the streams that the user has access to, some of the widgets and fields might not be populated.
  • CAN YOU SEND DATA IN ONE WORKFLOW AS A PARAMETER TO ANOTHER WORKFLOW?
    You never know where an investigation might lead. If you start with one type of analysis using, let’s say, your Windows Threat Research workflow, only to find out that you really need to be digging into network activity, you can change your approach. Simply click on the relevant data in your search results to send it as an input parameter to another workflow.

We've Got You Covered

Windows

Linux

Unix

JSON, CSV, TXT

Storage Mgmt

Custom Apps

Change Mgmt

Switches

Firewalls

DNS

Routers

DBMS

Commercial Apps

Products

Graylog Security
Graylog Enterprise
Graylog Open
Graylog API Security
Graylog Cloud
Graylog Illuminate
Graylog Small Business
Pricing

Features

Access Control & Audit Logs
UEBA Anomaly Detection
Graylog Content: Illuminate
Data Collection
Data Enrichment
Data Management
Events & Alerts
Investigations
Reports & Dashboards
Risk Management
Scalable Architecture
Search
SOAR

LEARN

Resource Hub
Blog
Videos
Events
Community

SUPPORT

Customer Support
Documentation
Graylog Academy
Open Community

Company

About
Leadership
Partners
Careers
News & Awards
Contact

[email protected]

Follow Us:

Linkedin Reddit-alien Youtube Github Facebook-f
Graylog Available in AWS Marketplace

GRAYLOG HEADQUARTERS

1301 Fannin St, Ste. 2000
Houston, TX 77002

GRAYLOG COLORADO

1919 14th Street, Suite 700, Office 18
Boulder, CO 80302

GRAYLOG UNITED KINGDOM

34-37 Liverpool Street, 7th Floor
London, EC2M 1PP
United Kingdom

GRAYLOG GERMANY GMBH

Poolstraße 21
20355 Hamburg, Germany

© 2025 Graylog, Inc. All rights reserved

Privacy Policy | Legal | Sitemap