I'm storing data from Drupal into syslog into Graylog. I'd like to find all messages based on their severity (what Graylog seems to call level).

Here's a screenshot of some messages showing the "Level" field. These all happen to be Notices, but the search I entered is finding the word "Notice" in the message field, not in the Level field.

Since the Drupal logs are going through syslog (and Drupal's watchdog severity matches RFC 5424 severity levels) the levels you're looking for are stored in graylog by their numeric ID, e.g. 0-7.

So, use search "level:5" to find messages with a severity level of notice.

I found this notation out by clicking into a Graylog message and then clicking on the level field. Clicking on a field within a message highlight will put that field into the search section where you can see the notation required.

I don't know if this is going to be useful or not, but Graylog identifies level in a numeric fashion according to syslog system.

• 0=Emergency
• 1=Alert
• 2=Critical
• 3=Error
• 4=Warning
• 5=Notice
• 6=Informational
• 7=Debug

Based on that, to search for a Warning message your search in Graylog can be as simple as:

level:4

in the search bar of Graylog. You may also use less that expression like:

level: <=4

Since the Drupal logs are going through syslog (and Drupal's watchdog severity matches RFC 5424 severity levels) the levels you're looking for are stored in graylog by their numeric ID, e.g. 0-7.

So, use search "level:5" to find messages with a severity level of notice.

I found this notation out by clicking into a Graylog message and then clicking on the level field. Clicking on a field within a message highlight will put that field into the search section where you can see the notation required.