A few new user questions

knightsg · October 14, 2017, 12:29am

I just started playing with Graylog very recently and so far it’s been a great experience. However, there are a couple of things I’m trying to do and I’m not sure of the best way (or even how) to achieve them:

Say I want to create a stream (let’s call it “A”) attached to a custom index and with that stream filtering out messages for one of our customer accounts, removing the original from “All messages”. I then want to create a bunch of other streams (“B”, “C” and “D”) that filter out the messages from stream A in different ways, both for searches and for alerting.
It seems like I can only create streams using “All messages” as the source though, so if I want streams B, C and D, I can’t do it using the streams page. It appears that I would have to set up pipelines to manually put the messages into B, C and D. Is this correct? Or am I misunderstanding how streams work?
Say I just wanted to get the number of messages in a stream for a time period, is there any way to do this? I can see a count of the number of messages at a point in time for a seemingly random time period in the ms range but this is arbitrary and not configurable by the user AFAICT.

If anyone has any input regarding the above queries I would be most appreciate of your input.

Thanks,
Guy

jan · October 15, 2017, 10:56am

@knightsg

It would be the easiest if you route all messages into “A” and then use the pipelines on the Stream “A” to route them into other streams.
If you select the Stream and change the time to “absolute” and search for everything (empty search) you will get the count of messages in this time on that stream.
This can also added to a dashboard as number.

knightsg · October 16, 2017, 7:13pm

Thanks for your reply Jan. I’ll try doing my first task the way you suggested, with pipelines.

As for the second, I did as suggested, set the time to absolute and entered a time range from x to y (5mins). The result it shows is as follows:

Found 7,840 messages in 5 ms, searched in 1 index.

To me that reads as 7,840 messages in 5 milliseconds which sounds unlikely. Does that ms actually mean minutes and not milliseconds?

Thanks again,
Guy

knightsg · October 16, 2017, 7:14pm

Actually, never mind. I realise now that the 5 ms is actually the search time, not the search period.

system · October 30, 2017, 7:14pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Graylog alerting per unique message Graylog Central (peer support) pipeline-rules , route-to-streampl	3	863	November 1, 2017
Filter options for Live Monitoring Graylog Central (peer support) sidecar	2	1251	May 21, 2020
Trouble with Relationship between Indexes, Streams and Inputs Graylog Central (peer support)	3	1071	October 13, 2022
Drop message before "All Messages" stream Graylog Central (peer support) pipeline-rules , route-to-streampl	3	1722	April 7, 2020
Best practice for splitting one input into multiple indices Graylog Central (peer support) pipeline-rules , route-to-streampl	1	2256	August 7, 2020

A few new user questions

Related topics