i’ve got messages with IDs. Lets say the ID is “1234”
This message includes a username, lets use “testuser123”
another message has the above written ID and a filename, lets use “testfile123.txt”
I want to create a Dashboard Aggregation (Datatable) with fields:
ID Username Filename
every field is searchable on its own.
if i use the querey: “source:testsystem123 AND exists:ID AND (exists:filename OR exists:username)” (the query for exists got the underscore before and after “exists”)
i got results for each field.
After creating the query i add the Rows to the Datatable.
With just ID and Username OR id and filename i get proper results.
But if i add the 3rd row, everything is blank.
The thing is:
a message with Username will never have the filename included. But every merssage will have the id.
If a message with a filename occure, there will always be another message (within some seconds) with id and username
How can i create a datatable-aggregation with all 3 rows included?
I had this happen during my widget configuration. Set my date/time greater then 5 minutes. After saving the widget to my dashboard data can through. You may have to create two differetn widgets.
ID and Username
id and filename
You can do this through a widget, then add it to the dashboard.
Maybe something like this. Since I know the field User is in every message I would put that first and then add the rest.
thanks for the reply. - I did the workaround with 2 Aggregation, one with ID and username, one with ID and filename.
But this is uncomfortable when starting analysis and trying to get the users who uploaded files.
//EDIT: i tried to embed more than one picture but the system wont let me (new user restriction)
This pictures showed the aggregation from “sshd_pid and SSH_User” (working) and “sshd_pid and UploadedFile” (working)
If i add the Fields to the standard Search-Table its like following:
So every occurance from “SSH_User” will have a “sshd_pid”, the same as a possible occurance of “UploadedFile” (filtered here for pid to get a proper screenshot)
i even tried with ‘(exists:sshd_pid AND exists:SSH_User) OR (exists:sshd_pid AND exists:UploadedFile)’
i get results in the datatable when i only add “sshd_pid” and one of the other to the shown rows, but never with both (even after saving and waiting)
I tried testing this in the lab. For the Aggregation widget to work like that, I believe all the fields need to be in the same message. By chance have you tried a pipeline?
Here was my successful test, but all fields were in each message.
I think this was what you want with your USR , PID /w FILE?
//EDIT: this example shows a similar problem with another processing chain - the same can be applied to my problem
i did a bit “try and error” yesterday and came up with following:
change from extractors to pipeline processors, created the needed fields from message in stage 0 and checked the filled values in stage 1:
rule “Check SMS_AufNr”
when
(regex(".*Send Message:.*AufNr:.*", to_string($message.message)).matches == true OR
regex(".*INFO: Nachricht.*AufNr:.*", to_string($message.message)).matches == true) AND
has_field(“SMS_AufNr”) == false
then
set_field(“SMS_AufNr”, “-”);
end
so every value is now filled and the widged will show all lines. - Which solved my problem.
but graylog should show messages in a widged by default if values are missing but one is filled.
in your example all messages included the fields “level”, “action” and “destport”
