Skip to main content

Dashboards

A dashboard is a customizable visual that displays real-time or historical data from log sources, allowing you to monitor, analyze, and visualize key metrics in one centralized location. Dashboards are made up of widgets, which are individual display elements that can show aggregated data in various formats, such as charts, graphs, or single-value metrics or disaggregated data in the form of log message tables. For more information, see Widgets.

Dashboards created by you can be customized to fit your use case. For example, you might create dashboards for any of the following purposes:

  • System Health and Performance: Monitor performance metrics (CPU load, memory, response times) to maintain system health and address issues quickly.

  • Log Aggregation and Analysis: Consolidate and analyze logs from various sources for troubleshooting and compliance.

  • Compliance Reporting: Display compliance-relevant log data for easier audit trails and adherence to standards.

  • User Behavior Tracking: Monitor access logs and activity patterns to spot unauthorized access or unusual behavior.

  • Custom Metrics for Management: Display critical metrics like uptime and service health, offering a high-level system overview for managers.

There are also a number of pre-built dashboards you can utilize in Security Data Lake. For example, Security Data Lake Illuminate content packs include dashboards tailored to specific log sources and security use cases. Additionally, Security Data Lake Security provides pre-configured, interactive dashboards designed to help security teams monitor, detect, and respond to security incidents.Graylog Security

You can also share dashboards with key stakeholders. See the Share Dashboards section for more information.

This article guides you through the process of creating new dashboards and customizing them to your use case. Additionally, we cover how to build dashboards with automatically updating information, which can be shared with any authorized user or user group.

Dashboards vs Saved Searches

While dashboards and saved searches are both ways to preserve and show subsets of data, they serve fundamentally different purposes. Dashboards are visual indicators used to monitor and present data at a glance. A saved search allows you to save specific search queries, including any filters, time ranges, and parameters you have configured, so you can easily access and run these searches again at a later time.

However, you can define specific search criteria for log data displayed in a widget. See the widget search criteria section of the widgets documentation for more information.

Note

Hint:Note that there is also search bar displayed at the top of each user-created dashboard by default. However, it only overrides widget-specific searches temporarily to display different results at the time of the search. It does not alter the search criteria against which the widget is configured.

Create a New Dashboard

Complete the following actions to create a new custom dashboard:

  1. Select the Dashboards tab in the top-level menu. This page lists all dashboards that you are permitted to view.

  2. Select Create new dashboard to create a new, empty dashboard.

  3. Select Save as.

  4. Enter descriptive information for the new dashboard in the dialog box. Note the title is the only required piece of information. Use a brief and unique title so other users can easily understand what to expect from the dashboard. The description can be longer and can contain more detailed information about the displayed data or how it is collected.

Now you can add widgets to your newly created dashboard! See Widgets for more information on creating and adding widgets to dashboards.

View Advanced Field Types

Advanced field types, such as nodes, streams, and inputs, are displayed in dashboards by readable titles rather than their IDs. The search is performed using the id parameter, but the default display is by title, allowing you to analyze your search results more clearly. For more about field type management, see Field Types.

Sources - hovering1.png

Note that the numerical ID is still visible if you hover over a title in the search results. In addition, when writing or editing a query, both title and ID are shown for reference.

Note

If you change the title parameter, the change is applied to all dashboards.

Export a Search as a Dashboard

The previous sections describe how to create a dashboard from the Dashboards menu, but you can also move an existing search to a dashboard. Click on the three dots on the right side of the search bar and select the Export to dashboard option. The newly created dashboard is a draft. You will need to click on the Save as button, found in the top right corner of the draft page, to create the dashboard permanently.

export as dashboard.png

Share Dashboards

Anyone with the Administrator role is allowed to view and edit dashboards. The Reader role is not allowed to view or edit any dashboards by default. As an Administrator, to share a dashboard with a specific user or team:

  1. Navigate to Dashboards.

  2. Find the dashboard you wish to add permissions to and click Share.

  3. Select users or teams from the drop-down menu. Click Add Collaborator.

  4. Review your selection and click Update sharing.

Review Permissions Management for a full list of permissions available to users and teams in Security Data Lake.Permission Management

sharing a dashboard.png

Dashboard Use Case

Sally is a system administrator who wants to build a dashboard for her company. She wants to add aggregation widgets that display information about the company log sources and an internal application named Zirva. She aims to have a dashboard that she can show her organizations stakeholders so that they have better real-time information regarding the company system. After creating and saving the new dashboard, she decides to add several widgets to it. See the steps she takes below for each widget:

  • Sally wants to find and display the log sources that most frequently appear in the company system. She will:

    1. Enter * as the search query and set the time frame to 1 day using the time-range selector.

    2. Click the Create (+) button and select Aggregation.

    3. Click Edit to configure the widget.

    4. Select Data Table as the visualization type:

    5. Group by Row and select source as the Field.

    6. Add count as the function and source as the field under Metrics.

    7. Select count(source) under Source.

    8. Click Preview widget to view the outcome.

    9. Click Update widget to save the widget to the dashboard.

  • Sally wants to find the number of exceptions in the application Zirva, over the period of one day. She will:

    1. Enter source:Zirva AND Exception as the search query and set the time frame as last 24 hours.

    2. Click the Create (+) button and select Aggregation.

    3. Click Edit to configure the widget.

    4. Set Visualization to Single Number

    5. Set Metric to count().

    6. Click Update widget to save it to the dashboard.

  • Sally wants to create a response time chart for Zirva. She will:

    1. Enter source:Zirva as the search query and select a time frame.

    2. Click the Create (+) button and select Aggregation.

    3. Click Edit to configure the widget.

    4. Set Visualization to Single Number.

    5. Set Metric to avg(response_time).

    6. Click Update widget to save it to the dashboard.

Sally now has a comprehensive dashboard that displays data relevant to the new company application.

Widgets

Security Data Lake widgets offer a powerful way to visualize data and create meaningful dashboards. Widgets provide new perspectives on data because they primarily represent aggregated data, like a widget that displays firewall log data providing you valuable information about failed attempts to infiltrate your system within the last 24 hours. This information, displayed in a graph or bar chart, can give you a better understanding of your environment at a glance.

In this article, we will explore the different widget types, how to create new widgets, and how to configure widgets to suit your desired results.

Widget Types

There are primarily two types of widgets you can employ to visualize your data:

Pre-Defined Widgets

Widgets can be configured from scratch or you can choose to make use of pre-defined widgets. These widgets have pre-defined metrics that you can optionally add to. Here is a list of predefined widgets that you can find on the side bar of the Search page, by clicking the + icon:

  • Log View: Presents log data in a format similar to common log format with timestamp, source and message fields predefined.

  • Message Count: The message count widget displays the total number of log messages that match the specific search criteria over a time period that you determine. This widget is commonly used to monitor log volume trends and get quick, high-level insights into log activity. The message count widget is predefined with the Count function and Single Number visualization.

Aggregation Widgets

An aggregation is a collection of data that has been grouped and organized meaningfully to provide an answer to a question you have about your data. This approach allows you to focus on the desired fields, functions, or metrics you want to know more about.

Aggregation widgets enhance this process by offering tools for organizing, visualizing, and interpreting search results from various perspectives. Aggregation widgets allow you to group data, apply metrics, and sort fields (e.g. ascending or descending) to reveal meaningful insights. For example, if you want to see which page on your website takes the longest amount of time to render, you can aggregate on the took_ms field and sort the results in descending order to determine the answer.

These widgets support features like showing the top values for quick data discovery and various visualization options to make data clearer. They are especially useful in dashboards, enabling side-by-side comparisons of multiple queries on the same page.

Message Table Widgets

A message table widget displays messages and their fields. Below you see a message table widget that displays messages with their timestamp and source fields. These widgets allow for a more granular examination of individual messages. Message-level searches are crucial for investigations and any time you need detailed information.

You may also see the detailed view of a message with all its fields by clicking on a message row. All fields in a message can be added to the table as a column through the configuration menu.

message table with details.png

Create a New Widget

You can create a new widget after running a search. As widgets are visual representations of specific sets of data, you define the data you want to see in the widget by executing a search for that specific set of data. Once you have executed the search successfully and defined any filters and parameters as needed, complete the following steps to create a new widget on the search page:

  1. Click Create + in the sidebar.

  2. Select one of the following based on your desired widget output:

  • Generic: Adds an empty aggregation widget.

    Note

    Note that parameter is an option under the Generic category however, this refers only to adding a parameter to your search and is not a widget type.

  • Predefined Aggregation: Select from Log View, Message Table, or Message Count.

  • Events Overview: Adds a widget displaying all events and event definitions. This widget comes with default columns and sorting. It can be modified via the configuration menu.

  • Investigations Overview: Adds a widget that includes all active alerts and investigations. This widget comes with default columns and sorting. It can be modified via the configuration menu.

By default, creating a new widget from the search page will populate the search page with that widget. This can be helpful for temporarily visualizing your search results or if you want to keep your widget on the search page. Ultimately, widgets are most useful and can be readily shared when added to dashboards. To add your widget to a dashboard select Copy to Dashboard from the drop-down menu in the widget, and select the appropriate dashboard. For more information on dashboards, see the Dashboards documentation.

Configure a Widget

After you create a new widget, click the pen icon in the top right corner of the widget to modify its configurable properties. Depending on the type of visualization you have selected for your widget, there will be a number of settings available to you:

Widget-Specific Search Criteria

Widget-specific search criteria are search queries, parameters, and filters applied to logs that determine the specific set of log data a widget will display.

Within the configuration menu for the specific dashboard widget you have selected, a search bar will appear at the top. This is where you can run a query for data that will be included in the widget. Additionally, you can apply search filters and search parameters to this query as needed.

Note

Note that there is also search bar displayed at the top of each user-created dashboard by default. However, it only overrides widget-specific searches temporarily to display different results at the time of the search. It does not alter the search criteria against which the widget is configured.

Group By

This option allows you to group your chart by rows and columns. The data points of a field will be aggregated to a selected row or column. For example, the avg() function can find the average of numeric data points of took_ms in the column.

When you create a new group using Group By, the values you select get rolled up into the result. This result can be presented in a variety of ways, like a table, chart, or color-coded.

For example, if the field timestamp is attributed to a row, it will divide the data points into intervals. Otherwise the aggregation will take up to fifteen elements of the selected field by default and it will apply the selected metrics function to the data points. If timestamp is aggregated with avg() on took_ms, the column action will give the average loading time for a page per action for every 5 minutes.

Note

For some field type selections you may be able to adjust the unit settings to determine what unit of measure is used in the display. For more information on adjusting unit settings, see Modify Widgets with the Value and Field Action Menus and Unit Settings.

Metrics

Metrics are specifications or quantitative measurements that help you find answers; they help you gain more detailed insight into your data by putting it into context. A metric may give you the average amount of time spent downloading a page or a comparison of sales made in several countries.

Metrics can be determined by selecting a function and a field to aggregate on from the drop down menus in the widget configuration modal. You can use metrics to obtain a numerical result. For example, sum counts bytes for all matched messages for the given time. If you have a bar chart organized by time, it will give you an idea how much data is pushed into storage over a defined time period.

Note

For some metric field type selections you may be able to adjust the unit settings to determine what unit of measure is used in the display. For more information on adjusting unit settings, see Modify Widgets with the Value and Field Action Menus and Unit Settings.

The Percentage Metric

The percentage metric helps to display results in the form of percentages instead of raw numbers. In some cases, percentages are easier to read and provide better insight into results. Results can be represented as percentages in bar charts, pie charts, and message tables. To apply the percentage metric, for the Function field in the configuration menu, select Percentage.

To understand the application of the percentage metric, we can look at a use case. In this example an analyst wants to understand which controllers are receiving the most amount of calls and how much difference there is between each one. They could quickly reach an opinion by viewing a comparison of the percentage of calls over controllers in a chart like the one below. Here the count metric displays the number of messages received from three different message controllers.

percentage use case 1.png
The Percentile Metric

The percentile metric helps to display the percentile or the relative standing of a certain value compared to the total. To apply the percentage metric, for the Function field in the configuration menu, select Percentile as the function. You may then select the field you are looking for along with a percentile value from the drop down menu.

We can also look at a use case to highlight the value of the percentile metric. In this example an analyst has a web server application that reports its response times as GELF messages that are ingested by Security Data Lake. They wish to understand the application’s 90th, 95th, and 99th percentile response times. These response times could be noted as the normal range.

percentile use case 1.png

Sorting and Direction

The order of result values can be configured in this section. Sorting defines what field drives the sorting of data, and Direction determines whether it will be ascending or descending.

  • Interpolation: The area chart and line chart support different interpolation types. Interpolation is the action of deducing between two data points. You can select how you would like to interpolate by selecting one of the available interpolation types under Visualization: Linear, Step-after and Spline.

  • Event Annotations: All visualizations that can display a timeline (i.e. area chart, bar chart, line chart, scatter plot) support event annotations. Each event will be displayed as an entry on the time axis.

Visualization

A graph view can often make it easier to compare a large volume of results. For example graphs can clearly display large spikes in web traffic. Such visual displays can attract attention and help analysts to notice and respond to these events rapidly.

Security Data Lake offers a multitude of visualization types, such as area charts, bar charts, heat maps, and world maps. Choose a visualization type based on the type of data you are working with.

Note

A world map needs geographical points in the form of latitude and longitude. And if you choose to use a heat map for visualization, you need to provide the x and y values.

visualization sample.png

Decorators

Decorators allow you to alter message fields while preserving the unmodified message, which can allow you to alter the way message fields are displayed in widgets. Decorators are especially useful in making the data in your fields more readable, combining data in a field, or adding new fields with more information about the message.

See our documentation on Decorators for more details.

Filters

The filter configuration option is available for Events Overview and Investigations Overview widgets. This option does not refer to search filters, which may be modified in widget specific search criteria. This refers to specific ways in which you may further filter the data presented in these widgets. For example, you may choose to filter investigations by assignee or to filter events by event definition.

Modify Widgets with the Value and Field Action Menus

Value action menus and field action menus allow you to perform quick actions like removing a field from all tables or creating a new widget with all field values presented in a data table. You can also choose to highlight field values across all data tables. When you click a value or a field within a widget, you will see a drop-down menu. You can execute any displayed actions by clicking on them. See below for a full list of available field and value actions.

Field Actions

Various field actions are displayed based on field type and location whenever a field name (not its value) is selected.

  • Chart: This will generate a new widget containing a line chart where the field's average value is displayed over time. This chart can be taken as a starting point for a more defined aggregation. This is only possible in fields that are numerical.

  • Show Top Values: This action will generate a new widget containing a data table where the field values are listed in rows and the number of occurrences will be displayed next to it.

  • Statistics: Here field values are given to various statistics functions depending on field type. The result will be displayed in a data table.

  • Add to Table: Add the field to the displayed fields of the message table where the Field Actions menu is shown.

  • Add to All Tables: Add the field to the displayed fields of all tables.

  • Remove from Table: Remove the field from the list displayed fields in this table.

  • Remove from All Tables: Remove the field from the list displayed fields in all tables.

  • Copy Field Name to Clipboard: Copies field name to clipboard.

  • Change Field Type: Change the field type for a specific field.

Value Actions

Value actions produce different results depending on the type of value and where the menu is opened. The following actions can be executed:

  • Insert into Dashboard/Search: Passes the value to the selected dashboard or saved search and used as a parameter.

  • Exclude from Results: Will add to the query to exclude all results where the field contains the value of the value action.

  • Add to Query: Will add NOT field:value to the query to filter the results additionally for where the field has the value of the value action.

  • Use in New Query: Will add field:value open a new view tab with a query string.

  • Show Documents for Value: This is available in data tables. It will display documents that were aggregated to display this value.

  • Highlight this Value: This action will highlight this value for this field in all message tables and data tables.

  • Create Event Definition: Create an event definition based on the value. See Create an Event Definition Directly From Search Results for details.

Determine Unit Settings

Unit type determines which units are offered. If you select Size as the field type, you are presented with sizing units such as byte, kilobyte and megabyte. The unit settings configuration option is available for most numeric fields and metric functions.

Note

An icon representing the predefined unit is shown for internal fields such as gl2_ prefixed fields. Only modify a predefined unit if you are sure that it is incorrect or if you do not want to view unit values in the widget.

Each selected unit type is represented with an axis. Multiple fields with the same unit type can be displayed on the same axis. If you select to view a field with unit type size and another field with unit type time, an axis is displayed for each unit type. There are four available axes: number, size, time, and percentage.

Security Data Lake converts units for most visualization types. If you hover over a value in a widget display, you see the converted unit value. With Data Table, you can see the original field unit value when you click on the drop down arrow to the right of the converted value.

In the image below, field values are grouped by unit type. The Mode is Stack, so the two fields with the same unit type are stacked on top of each other. If you select Overlay, you see one field layered over the other.

stacked visualization.png

Note

Heatmaps can only be used with fields that have the same unit type. There is a single scale used for this type of visualization, so different unit types cannot be distinguished.

Modify Field Unit Settings

If you wish to modify field unit settings:

  1. Click the Edit icon (pen) found in the top right corner of the widget.

  2. Locate the desired field in the widget configuration menu.

  3. Click the icon found to the right of the desired field.

  4. Select unit type and the unit in the modal that appears.

  5. Click Update preview if you wish to preview the changes you made.

  6. Click Update widget.

You can now view the converted values in the widget display.

Review Field Unit Values

Security Data Lake converts field unit values to display the best outcome in a widget view. Search results can include messages with field unit values that are not easy to understand or display. Security Data Lake formats large numbers or numbers with multiple digits to make them easier to understand. For example, if ingest_time is set to nanoseconds, Security Data Lake converts this value to seconds to achieve a readable number. Security Data Lake also modifies field unit values to display only one decimal place by default.

Note

Units in a widget view can be different from the original unit. This is because Security Data Lake converts units to the best format for a widget display.

Security Data Lake converts field unit values to allow for an accurate comparison between fields. In some cases, a widget can include multiple fields with the same unit type (e.g. size) but different units (e.g. kilobytes and megabytes). Security Data Lake formats these values to make sure that the comparison is made between fields with the same units.

Manage Widgets

Widgets can be duplicated or deleted by clicking the chevron in the top right corner. You can also add widgets to a list of existing dashboards or place one in a new dashboard by selecting the Copy to Dashboard check box.

Widgets can also be freely placed inside the search result grid. You can drag and drop them by clicking and holding the three lines to the left of the widget name. You can resize them by using the gray arrow in the bottom right corner. To expand a widget to full grid width, click the arrow in its top-right corner.

If you want to expand the view of aggregated data in your Log View widget, see Log View Widget.

Log View Widget

Log View is a widget that presents log data in a format similar to common log format and resembles a console display. The Log View widget allows you to scroll through log events as new lines populate in real-time.

The Log View widget provides a way to investigate your log events, so you can:

  • Record faults to diagnose and debug.

  • Identify security breaches and other system and network misuses.

  • Perform audits.

The Log View widget allows you to create highly customizable reports and info graphics, add reports to your dashboards, and save and retrieve reports in the event you need to review that data. You can add new values, fields, and metrics to build reports that meet your needs.

Note

Security Data Lake Open is limited to exports in CSV, as detailed inExport Search Results. However, there are additional formats available in Enterprise: PDF, GELF (newline-delimited), JSON, NDJSON (Newline-Delimited JSON), and Plain Text form.

Create a Log View Widget

The log view widget option is located on the expandable bar on the left. To create a widget:

  1. Click the Create (+) button to extend the menu.

  2. Select Log View to generate the widget in the main UI.

6.1 log view widget.png

By default, the timestamp, source and message fields are presented in plain text format.

Add New Fields to the Report

You can add new fields to build more detailed reports. For example, you may need to associate activity between the website company.org and a response code.

  1. Click the diagonal arrow icon on the right side of a log line.

  2. Review and select one or more options, e.g. https_response_code.

  3. Click Save & Close.

Alternatively, add new fields via the configuration modal:

  1. Click the pen icon found inthe top right corner of the widget.

  2. Locate FIELD SELECTION AND ORDER and click the drop down arrow, or type in a value.

  3. Click Update Widget to save any edits.

Focus on the Widget

Locate the Focus this widget icon in the main log view interface. Click to expand the widget to full view.

Build a Dashboard with Shareable Data

In this section, you will determine a format that best suits your message delivery efforts, and download a report. For example, you might pass on:

  • Plain text data to your peers for analysis (e.g. Log File/Plain Text ).

  • Data to a logging library built in JavaScript (e.g. JSON ).

  • Structured data objects to TCP or UNIX pipes (e.g. NDJSON ).

If configured, you can use the dashboard created above in the Create a Log View Widget section.

Follow these steps:

  1. Click the chevron icon to access the Actions menu.

  2. Click the downward facing arrow to access the dialogue.

  3. Select an output format.

  4. Locate the Fields to export section and add additional fields to the pre-defined options chosen in Add New Fields to the Report.

  5. Click the clock icon to configure an absolute date range. The format is displayed as yyyy-MMM-dd HH:mm:ss.SSS.

  6. Select a number under Messages limit.(optional)

  7. Click Start Download.

In this section: