Corellating log messages

hurzelchen · March 14, 2018, 12:38pm

Hi,

I’m still quite new to Graylog which I’m taking over from a colleague.

I’m currently looking for a major feature that I would need. But no search brought up something like that.

Can I correlate two or more log message with each other? I.e. can I check if a log message happened after an other one? Or in other words: Could I have a sort of state for a source that can be change by a certain message but otherwise stays unchanged?

To have a minimal example, let’s say I have the following messages from the same source:

Thing A turned red.
Thing B made a noise.
Thing A turned green.
Thing B made a noise.
Thing A turned blue.
Thing B made a noise.

Can I now filter for “Thing B made a noise while thing A was green”?

Thanks,
Dominik

alias · March 14, 2018, 3:17pm

In my opinion (not expert product), no.

The correlation involves a perfect real time log collection.
But you can create severals single alert and create a “last” alert based on previous alerts condition with operator.

system · March 28, 2018, 3:17pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Correlation logs Graylog Central (peer support)	5	1110	June 3, 2019
Backlog - finding related logs Graylog Central (peer support)	3	1745	August 7, 2017
Stream and alert (condition) question Graylog Central (peer support)	8	731	May 28, 2019
GrayLog 5 and Alerts Graylog Central (peer support)	3	255	June 30, 2023
Graylog Alerting issue Graylog Central (peer support)	1	297	March 6, 2019

Corellating log messages

Related Topics