Extracted number from syslog message unusable

(OVA Graylog v2.4.3+2c41897)

Hi,

I’m trying to display values (cpu) throught an extractor from a syslog message in order to display it on a chart.
The extractor seems to works fine : I can get the cpu value with the extractor, and the value is well displayed as a field on my stream.
But when I try to display it on a chart (value max, min, mean …), the value is always zéro.
When I display the statistics of my extracted field, the displayed values are “Nan” (except total & cardinality)

It look like my my extracted field value is not seen as a number.
I have tried with the extractors substring, regexp (both with number conversion) and grok, with the same result.

Any idea about how I can display this extracted value ?
Thanks

Folowing due to simular problem.

is the value a single number that is saved in one field? The statistical function/display is only available if the value is saved as number.

You could force the field with the extracted field as number via elasticsearch index template: http://docs.graylog.org/en/2.4/pages/configuration/elasticsearch.html#custom-index-mappings

Yes, the field is a single number.
The value is currently extracted using a regexp extractor, then converted to a numeric value using the extractor option.

is that also saved as a number in Elasticsearch? Because if the dynamic mapping it might be saved as a string. ( https://www.elastic.co/guide/en/elasticsearch/guide/2.x/dynamic-mapping.html ).

To correct that, rotate your index and/or create a custom mapping forcing that field to be a number

http://docs.graylog.org/en/2.4/pages/configuration/elasticsearch.html#custom-index-mappings

Thank you.
It’s working by forcing the type to integer over a custom mapping of the field in Elasticsearch.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.