Graylog aggregation that shows message time delta from last message


I am from a small company that does dog trackers that use GSM as communication.
The dog trackers send packet every defined time amount and we need a way to check if device firmware is doing whats it is told to do.

I want to create an aggregation that shows time in seconds from the last packet in the graph.
Every message has device IMEI so device messages would be categorized by it.

I found one topic on this kind of problem whats from 2017 that suggested using REST API to get data and then calculate the data but I would like to show the time delta in a graph in the Graylog dashboard.

Graylog version: Graylog 4.1.1+27dec96

Best regards
Karl Erik Mander


I grouped timestamp with device IMEI and used cardinality to get a graphical view of device log count.
From there it is possible to notice bumps or holes where the device has not sent anything or sent too much.

This is the current solution that I have come up with.

Hello && Welcome

I might be able to help.

I found a couple post if your not aware of, that might help.

As for…

Graylog 4.x has a dashboard called Source. You should be able to see your message count from each source (device). You could use that for your alerts or graphs on the amount of data received. This would all depend on how you configured/installed your environment.

EDIT: Below I did a quick widget mockup. I added Group By source. Then added Metrics Count w/ field gl2_accounted_message_size. Basically the Default widget on Graylog’s Dashboard called Sources. As you can see it shows my sources (devices) and how many messages are within one hour. This helps keep an eye on the average amount of messages per hour. You can always modify it further.

Thank you for your response.

The message size is not important to us because the log size can vary but the count of the messages is needed.
I have created the following setup for finding disturbances what should be a linear graph of device sending intervals.

This way the blue graph shows that the device with censored IMEI is currently sending with a fixed time interval until a point that is circled with red.
The other devices have only one point or more depending on their defined information packet interval.

I hope this kind of “hack” helps somebody with a similar issue.

Thank you!

Thanks for sharing your configuration, I also tested this in the lab and works good. :slight_smile:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.