How can I create a dashboard where I have 2 different sources (source X and source Y) that only show if their IP field values are the same?
Hey @yumibad86
Maybe I need more coffee but im confused , if you have two different sources with the same IP address?
I have source server1 and source server2… the 2 have the IP field, I would like it to show only if the value of the IP field of source server1 and server2 are the same.
I don’t think Graylog has the concept of strings or ip values being “same”. You can evaluate numbers, and you can match string or IP values you already know, but you can’t set it to look at two source_ip fields, for example, and tell you if the IP is the same or NOT same.
Now that I’m thinking about it, you might be able to create a dynamic lookup table storing the source address from each message, then check new incoming messages against that table. It’s officially called the MongoDB Data Lookup Adapter, but it provides you with a way to store values taken from logs and compare those values against the values of new messages coming in.
Using the lookup table, If the source address matches, create a new field called “ipmatch” with a value of “true”. Then you can set your dashboard to only display logs with or without that field
blah AND blah OR blah AND exists:ipmatch OR NOT exists:ipmatch OR ipmatch:true OR ipmatch:false
I included all combinations for demonstration purposes. Pick the one that makes sense for you.
However, dynamic lookup tables are an enterprise feature, so if you’re FOSS, it won’t be available to you unless your volume is under 2GB. If so, you can use the free small business edition, which does have the enterprise features like dynamic lookup tables.
BTW, if you don’t mind me asking, what are you trying to achieve? What will an appearance on that dashboard tell you?
1 Like
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.