Hello, I’ve set up Graylog to test to see if it will be able to provide some detail we’re currently getting from Fire Mountain ELM Enterprise Manager.
We have an event view in ELM that has a summary of the errors/warnings that have been collected over the last 24hrs. I’m trying to duplicate that in Graylog.
I’ve created an Aggregation in Search that is doing what I want, except I’d like to get the message details, and possibly the last generated time of the alert (that would be secondary).
If I add in either “Message” or “Full message” I get the following error: While retrieving data for this widget, the following error(s) occurred: OpenSearch exception [type=search_phase_execution_exception, reason=all shards failed].
Adding “winlogbeat_error_message” makes the search come up empty…
Any help would be great, just getting started with Graylog, so I know nothing
Do you actually need to do an aggregation, ie doing a show distinct or something like that, or are you just after a table view, that’s more what it seems like you are after looking at the example from the old product.
If you just need a table view, you can add columns to the message view, and then save that as a saved search to view it anytime you want, you can even turn off the message preview so that it is strictly a table of fields. You can access all those options by clicking the pencil in the top right of the message table in the search page, which takes you to this screen pictured.
The reason I was starting with aggregation is I want a count of the messages, not each message displayed separately. If I’m seeing your screenshot right, that would show each occurrence of a duplicate event separately?
Can anyone else confirm this experience when adding “message” to an aggregate search? I’d like to confirm if this looks like a bug, or if I have something misconfigured.
If this could be added to aggregate, it would do what I want too, but it is not an available option:
In case anyone else is curious, I did get a reply from the Graylog Github:
Graylog leverages OpenSearch, which does not allow aggregation on text fields by default. The message field is typically stored as a text type, which is not optimized for aggregations. Aggregations in OpenSearch require fields to be of the keyword type, which is designed for exact matching and efficient indexing. Since the message field is often analyzed and tokenized as text, it cannot be directly aggregated. To enable aggregation, you would need to create a keyword field or use a pipeline processor to extract relevant data and store it in a more suitable field type.
