I am using Graylog to monitor DNS resolution errors.
Is there a way to trigger an alert based on field cardinality? I don’t want to use the absolute number of failed queries per time interval, which can be easily triggered by a single misconfigured client, but on the cardinality of DNS requests and clients IP addresses.
Is there any way to do this? I see that it’s easy to generate graphs of field cardinality, which are really useful. It would be great to be able to generate alerts based on that as well.