I am trying to create a chart with the average response times when I do Quick Values I don’t see anything that would be wrong.
Chances are that your values are stored as strings - Elasticsearch has this habit at times to not auto-detect the type of field data properly, and Graylog doesn’t really attempt it either because how would it know.
Solution: set up a pipeline for that stream, and use one of the to_float/to_double/to_etcetcetc. functions to ensure the field is stored numerically. You’ll keep having NaN for a while in the mean value (depending on time range) until all data points inside the time range are numeric, after which it’ll start working.
I was actually thinking that myself so I created a rule
rule "requestTimeInMillis to number"
when
has_field("requestTimeInMillis")
then
let millis = to_double($message.requestTimeInMillis);
remove_field("requestTimeInMillis");
set_field("requestTimeInMillis", millis);
end
And attached it to the pipeline.
I wonder if there is a way to check the type of the field somehow
Eaaahhhmm… there may be but you’d have to talk to Elasticsearch directly and request the index mapping, see if it comes out right. I think…
1 Like
I take it Graylog does not have a facility to override it.
It looks like it is stored as keyword
/graylog_0/_mapping?pretty
{
"graylog_0" : {
"mappings" : {
"message" : {
"dynamic_templates" : [
{
"internal_fields" : {
"match" : "gl2_*",
"mapping" : {
"type" : "keyword"
}
}
},
{
"store_generic" : {
"match_mapping_type" : "string",
"mapping" : {
"type" : "keyword"
}
}
}
],
"properties" : {
...
"requestTimeInMillis" : {
"type" : "keyword"
},
"response" : {I’m trying to check if “_reindex” can be used.
I wonder if numeric_detection as documented here is enabled in GrayLog https://www.elastic.co/guide/en/elasticsearch/reference/current/dynamic-field-mapping.html#numeric-detection
1 Like
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.