Manipulate count() metrics

Hi there.
On my authentication infrastructure, I use a freeradius server, that sends authentication (login OK and login fail) messages to my graylog.
I created an extractor that extracts the username from each message.
But the question is when the user failed login, 3 (equal) messages are sent, and with default metric count() will show (on dashboard e.g.) 3 failed logins, when actually the user only fail one time. There is a possibility of creating or manipulate a metric that, e.g. If username login fails and message timestamp is the same (or up to 5 seconds), then cont=1?
Thank you in advance for your help and support!

he @marcosta2587

you might want to check if those log messages are created 3 time or if that is a failure.

Depending on your Graylog version you might want to use the aggregation feature of the alerts and events section to create one unique event based on that three logs and make use of that in your dashboard.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.