Alert condition on numerical Field (value over)

Graylog Central (peer support)
1

Hi everyone,
i need information about alert Condition. We have a stream with a numerical field (size value inside). We want to raise simple alerts when value is over 1000.

On “Field Content Alert Condition” we couldn’t define a “>” parameter , just a “field” = “value” .

On “Field Aggregation Alert Condition”, we have aggregation function (min, max, sum…) but trigger condition doesn’t work …we tried a lot of combinaison to perform a “raise an alert if value of the field is over 1000 on last 5 minutes” but for me the aggregation function is not adapted to us.

Someone have an idea ?

2

is the field in elasticsearch saved as a number? If this is saved as a string the aggregation is not possible.

3

Hi @jan jan, how i can check that ?

4

You could check the index mapping in Elasticsearch:
https://www.elastic.co/guide/en/elasticsearch/reference/5.6/indices-get-mapping.html

1 Like
5

You have right @jochen , all values extracted by "csv plugin " on my pipeline are created in “keyword Type” :

image
image.png1715×87 10.3 KB

I should add a stage on my pipeline and convert desired fields to a number. Witch pipeline function is the best way to convert “keyword” to “number” ? Base*-encode function or “to_double*” function ?

regards

6

I’m pretty sure that you don’t want to have base64 encoding. :wink:

Depending on the type of number (floating point or integer), you could use to_double() or to_long().

1 Like
7

:smile: you have right.

thanks a lot.

8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.