Hi! I am getting info from an Apache server and this weekend i added the response time in ms and sec in the log. Today i modified my grok extractor like this:
%{IPORHOST:clientip} %{HTTPDUSER:UNWANTED} %{USER:UNWANTED} [%{HTTPDATE:timestamp}] “(?:%{WORD:HTTP_method} %{NOTSPACE:request}(?: HTTP/%{NUMBER:UNWANTED})?|%{DATA:rawrequest})” %{NUMBER:response_code} (?:%{NUMBER:bytes;int}|-) “-” “%{GREEDYDATA:UNWANTED}” %{NUMBER:response_sec;int}/%{NUMBER:response_ms;int}
As you can see both fields are created as int.
I tried to create a graph with the average value in the last 15 min. What i did was go to generate chart (on the response_ms field) -> customize (in the new created graph) -> value but i don’t see an average option (i see max, min, total, sum, etc.).
Just to be sure i checked the field info and it is a numeric field
curl -X GET http://localhost:9200/graylog_126/_mapping/field/response_ms?pretty
{
“graylog_126” : {
“mappings” : {
“message” : {
“response_ms” : {
“full_name” : “response_ms”,
“mapping” : {
“response_ms” : {
“type” : “long”
}
}
}
}
}
}
}
My graylog version is 3.0.0-12
Do you what i am doing wrong? In the docs i see that you have to use the aggregate option but i dont see the option anywhere. Is it a version issue?
Does anyone give a hand with this? I can’t find information anywhere
I don’t think it’s a so called version issue, although the location and views have changed fairly significantly from 3.0 to the current 3.2.4. The aggregate option is available under the views section. Not in the default “Search” section. in 3.2, they simplified the views and search into a single section.
Ok, thanks. But where is view section? In the top bar i see search, streams, alerts, dashboards, sources, system, and in the documention it says:
“A views contains a set of queries. Each query has a collection of widgets which display messages and charts depending on the search string entered in the search bar and the selected time range. A view can be saved with a name to keep the current progress and continue later on. Saved views can be shared, so other people can use them in their processes. For a better work flow Parameters can be added in the search query. Parameters are part of the Graylog Enterprise plugin.”
But i doesn’t explain how to access the option or access my current views.
I have a saved query but i don’t know how to use that as a view.
Edit: Just found a tutorial (https://www.graylog.org/videos/views) and it seems that is a Enterprise version feature if i am not mistaken. I will have to upgrade to version 3.2 apparently if i want it in a community/free version. Unless someone points out a way to do it in the 3.0 with a free license.
Enterprise license is free also for under 5GB ingest. just need to sign up for it. Otherwise, yes, you will need to upgrade to 3.2 to get the new views.
probably should’ve included the link 
Great, thanks for the help. I will start planning for an update.
you’re welcome… good luck… and make sure to check the release/upgrade notes for the versions.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.