HI Everyone,
I want to create a dashboard to have this information:
Example Output
| source | critical | emergency | warning | total |
|---|---|---|---|---|
| server1 IP | 2 | 1 | 4 | 7 |
| server2 IP | 0 | 0 | 3 | 3 |
is it possible to do with Graylog open? or it is just a feature in Enterprise level?
Hey @kerberos2023,
Create a data table aggregation, group by source and then use the metrics function to count each of critical, emergency and warning. This does not account for the ‘total’ column.
Hi,
Thanks for the reply,
how can I create criteria on metrics?
see screenshot: is it the right approach or I need to do anything else?
It seems you are not parsing the severity level into it’s own field, in order to count each severity you should create a pipeline and rule that extracts the severity from the body of the message field into its own field.
Thanks for your help.
For this, I need to extract the severity from the message, not severity itself.
I created this rule, but it does not work.
rule “Specific Logs”
when has_field(“message”) &&
(
contains(lowercase(to_string($message.message)), “critical”) || contains(lowercase(to_string($message.message)), “emergency”) || contains(lowercase(to_string($message.message)), “warning”) || contains(lowercase(to_string($message.message)), “alert”) || contains(lowercase(to_string($message.message)), “error”)
)
then
let msg = lowercase(to_string($message.message));
if (contains(msg, “critical”)) { set_field(“has_critical”, true); }
if (contains(msg, “emergency”)) { set_field(“has_emergency”, true); }
if (contains(msg, “warning”)) { set_field(“has_warning”, true); }
if (contains(msg, “alert”)) { set_field(“has_alert”, true); }
if (contains(msg, “error”)) { set_field(“has_error”, true); }
end
I want something like that, can you please help me to achieve it?
Many Thanks
this code works but I’m not sure that this is the best approach:
rule "Specific Logs"
when
has_field("message") && contains(lowercase(to_string($message.message)), "critical")
then
let msg = lowercase(to_string($message.message));
set_field("has_critical", true);
end
when
has_field("message") && contains(lowercase(to_string($message.message)), "emergency")
then
let msg = lowercase(to_string($message.message));
set_field("has_emergency", true);
end
when
has_field("message") && contains(lowercase(to_string($message.message)), "warning")
then
let msg = lowercase(to_string($message.message));
set_field("has_warning", true);
end
when
has_field("message") && contains(lowercase(to_string($message.message)), "alert")
then
let msg = lowercase(to_string($message.message));
set_field("has_alert", true);
end
when
has_field("message") && contains(lowercase(to_string($message.message)), "error")
then
let msg = lowercase(to_string($message.message));
set_field("has_error", true);
end
This code works for me!
rule "Detect Specific Keywords In Message"
when
has_field("message") &&
(
contains(lowercase(to_string($message.message)), "error") ||
contains(lowercase(to_string($message.message)), "alert") ||
contains(lowercase(to_string($message.message)), "warning") ||
contains(lowercase(to_string($message.message)), "emergency") ||
contains(lowercase(to_string($message.message)), "critical")
)
then
let msg = lowercase(to_string($message.message));
set_field("has_error", contains(msg, "error"));
set_field("has_alert", contains(msg, "alert"));
set_field("has_warning", contains(msg, "warning"));
set_field("has_emergency", contains(msg, "emergency"));
set_field("has_critical", contains(msg, "critical"));
end
1 Like
Sorry for the late reply @kerberos2023, that looks great. Nice work persevering with it.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.