Hi all,
I’ll start by saying I’m new to Graylog, so I’m not well versed on the back end and how exactly Graylogs works. That being said when I have an issue its nothing some Googling and reading the documentation can’t fix. However, I’m completely stumped with this problem.
What I want to do
- When creating a Data Table, I want to either expand or limit the number of returned values. I found this community page that pointed me to the Pivot Configuration (Graph display granularity). This helped finding how to do this, but, for me, this just doesn’t seem to work.
The problem
-
When I try to edit the Pivot Configuration to anything other than 15 (the default value) the number of results either goes to zero or 1 result. If I try to change it back to 15 nothing happens. It seems the only way to get ANY results back is to remove fields from “ROWS”. The results return but the count isn’t that same.
-
I’ve made a video demonstrating this to help explain the issue (https://youtu.be/XsMpR9UKIOM). In the video I’m working with zeek capture_loss log. I add the fields peer and capture_lost to “ROWS” and get the expected 15 results under capture_lost. I then change the Piot Configuration for capture_lost to 5 and the results disappear. I change the value back to 15 and nothing happens. I have to remove capture_lost from “ROWS” to get any results back, but they aren’t the same as before.
Am I using Pivot Configuration incorrectly? Is there some back end thing that I haven’t set up? I’m very confused what is wrong.
I’m using Graylog-server 3.3.6.
Thanks for any help!