Graylog2
Add "Yesterday" and "Today" as relative time spans for search
At present, there is no relative time span for "Yesterday" or "Today". These are a standard option in other log monitoring platforms.
What?
For events, these would default to the root user timezone. For users, these would relate to the logging in user timezone.
Today should capture the present date, from 00:00 up to the present time.
Yesterday should captures yesterday's date, from 00:00 to 24:00.
Why?
This is a standard feature of competitior platforms.
In my experience running a Splunk cluster for a buisness, these were the most-used relative time span for dashboards.
Without the addition of this feature, it is not possible for users to create a dashboard element that accurately measures Graylog Enterprise liscence usage, or triggers alerts off the same.
These are highly intuitive spans of time for human understandng of data.
Also, if the keywords are implemented already, we should also add to the drop-down This Week/Last Week; This Month/Last Month; This Year/ Last Year
Created linked issue https://github.com/Graylog2/graylog2-server/issues/11560, might make sense to knock that out at the same time.
This still isn't in place :-( 4.3.x
These are the search period that I would use the most in day to day usage of logging platforms in my previous roles.
putting it in the "relative" drop down does not look right for me. How about adding a dropdown for some often used keywords on the "Keyword" tab or maybe add some of these to the little dropdown:
Can the dropdown not consist of multiple shorter vertical columns, rather than one single long one?
The equivalent button in splunk:
