Counting lines with specific field value

Graylog Central (peer support)
1

Hi,

I have log lines like theses ones:

{"app":"app1", "needrestart":1}
{"app":"app2", "needrestart":0}
{"app":"app3", "needrestart":0}
{"app":"app1", "needrestart":1}
{"app":"app4", "needrestart":1}

And I want to make a single number dashboard to tell me there are 2 apps to restart. It seems very simple but I can’t figure how to achieve this. Note: app can have multiple entries, but only the most recent one must be used.

Thanks for your help !
Mat

2

Hi @mig

  1. seperate your logs into machine-readable fields. Field “app” and field “needrestart”.
  2. filter for needrestart:1
  3. add a widget counting the card() of the field app. This will tell you how many different values exist for the field “app”. This is the number you are looking for.

cheers,
ihe

3 Likes
3

Hi,

It works, thanks a lot. For those who don’t know (like me), the card() function means “cardinality” :smiley:

Bye.

3 Likes
4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.