Group other values in separate bucket

Hi!

When using aggregation, I just do not find any way to display the “real” data, as data that is above the “Limit” is dropped.

Example:
If I visualize netflow-data, I have to setup a “row-limit” for top sources like e.g. 10. These 10 values are “100%” although they do just represent 80% of my data.
→ the “other” sorces should be covered by a seperate row.

Kibana calls that “Group other values in separate bucket”. Is there any possibility to show up one row for “other” values?

Thank you for your help!
KPS

Hello,

Not sure what you mean by “real” data. Could you explain this in greater detail?

When your referring to “Group other values in separate bucket”. Could you show an example of what you want and the version of GL are you using?

Hi!

I am using Graylog 4.1.5

I just want to show an “extreme” example:

Take netflow data while a DDOS attack is running.

→ Hosts 1-10 (regular hosts) did send 10 MB each
→ Hosts 11-1010 (attackers) did send 1 MB each

Graylog Pie Diagram with “limit 5” is showing:
20% host1, 20% host2, 20% host3, 20% host4, 20% host5
→ I assume, everything is o.k.

correct would be:

1% host1, <1% host2, <1% host3, <1% host4, <1% host5, 99% “others”
→ DDOS is visible → graph shows “real” bandwidth distribution.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.