Cardinality on message

kommradHomer · September 1, 2020, 7:36am

Hello ,
I have messages like

“trying cardinality:[3,5,7]”
“trying cardinality:[3]”
“trying cardinality:[3,5,7]”
“trying cardinality:[5,7]”
“trying cardinality:[3,5,7]”

these are in the “message” and “fullmessage” .
I’m trying to create an event definition , that catches if cardinality of these messages above are greater than 2. But I see no events generated.

Does cardinality not work on strings ? or if I simply have some number in the message like “trying cardinality:1234” , how do I run the cardinality on the numeric part of the message ?

ttsandrew · September 1, 2020, 11:20pm

Hello @kommradHomer, welcome!

You can use an extractor to copy the numeric portion of the message into its own field and then create an event definition against that. Personally I am partial to regex extractors but there are many options available, just be sure to set one up and then apply a numeric transformation to the field once the number is extracted.

system · September 15, 2020, 11:20pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Field statistics/chart on extracted number showing NAN? Graylog Central (peer support)	3	2023	June 20, 2018
Unable to get some REGEX extractors working Graylog Central (peer support)	3	755	November 19, 2019
Extractor numeric search is not working as expected Graylog Central (peer support)	2	398	January 11, 2019
How to find integer Graylog Central (peer support)	2	206	June 13, 2023
Regex Search in message / Chars like ", ==, <=, etc / Problem Graylog Central (peer support)	5	804	October 14, 2019

Cardinality on message

Related Topics