Graylog query is apparently not supporting Natty. Is it a bug?


(Eric Duault) #1

I need to define a time frame each month in the alarm configuration, for example the number of messages from 1st of month to 18th of month must be greater than 10000.
Therefore, I want to be able to use this criteria in Natty language : “1st last month to 18th last month” in the query string of an alarm (using Conditional Counting Alert Condition Plugin).

So I first tried to use Natty language in the query fields in the search page, but it didn’t work.
Is it impossible ? Or am I writing the query string incorrectly ?

I tried those queries, but they’re not working :
timestamp:“1st this month to 18th this month”
timestamp:[“1st this month” TO “18th this month”]

It is strange, because those searches are working :
“1st last month to 18th last month” as a keyword
timestamp:[“2018-09-01 00:00:00.000” TO “2018-09-18 00:00:00.000”] in the query field


I got those errors displayed in the search screen during my tests:

Error Message:
Unable to perform search query failed to parse date field [1st this month] with format [yyyy-MM-dd HH:mm:ss.SSS]failed to parse date field [1st this month] with format [yyyy-MM-dd HH:mm:ss.SSS]
Details:
failed to parse date field [1st this month] with format [yyyy-MM-dd HH:mm:ss.SSS]

and

Error Message:
Unable to perform search query failed to parse date field [1st this month to 18 this month] with format [yyyy-MM-dd HH:mm:ss.SSS]failed to parse date field [1st this month to 18 this month] with format [yyyy-MM-dd HH:mm:ss.SSS]
Details:
failed to parse date field [1st this month to 18 this month] with format [yyyy-MM-dd HH:mm:ss.SSS]


I’m using Graylog 2.4.6.


(Jan Doberstein) #2

what you try is not possible.

Just open a feature request and it might work in the future: https://github.com/Graylog2/graylog2-server/issues

The other option would be to write yourself an alert plugin that is able of doing the query.


(system) #3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.