Quick Seq tip, limit log searches to the last day by default
When searching for log events in Seq, by default Seq will keep searching, further and further back in time, until it either finds enough of the events you’re looking for to fill a page, or reaches the beginning of the stream… sometimes several years ago!
On big servers, it’s often nice to conserve resources by limiting searches to the last day (or hour, or seven days) by default. Until Seq 4.x, there wasn’t a tidy way to do this. Here’s how to achieve it with the new version:
1. Create the Last day signal
Seq exposes @Timestamp
on every log event. Along with the built-in Now()
function, and duration literals like 1d
, this means a filter can be used to select a time range:
@Timestamp > Now() - 1d
Creating a signal with this filter, called Last day, will give you a one-click way to apply the filter.
Seq handles the time range constraint efficiently behind the scenes. You can use h
to specify a number of hours, e.g 24h
, if you want to fine-tune the duration.
2. Add the signal to your user profile
If you want the Last day signal applied whenever you open the events screen, just click your username, select Preferences, and add Last day to the list of default signals:
Now, whenever you navigate to the events screen without another signal being explicitly (deep-) linked, the Last day signal will be applied.
To search back farther than a day, just click the signal name to de-select it.
It’s been a bit quiet here so far in 2018… Work on the next feature release of Seq with Linux/Docker support is in full swing: I’m doing a lot of learning and programming, but not as much writing as I’d like. I hope you’re all having a great 2018. Stay tuned, more to come soon! :-)