I just got a question I couldn’t answer: If I do a search on something that’s is a indicator, and then also something that is a real issue, example:
message: “indicator” OR message: “problem”
I get a nice histogram as usual, but the user wants to highlight the different search criteria in different colours in the histogram, to see if the indicator overlaps with the problem over time.
Is that possible in Graylog?
The standard search histogram seems to be mono-colour (but I wouldn’t know for sure)
Yyyy…I think so. Sort of. You want to click the message field in the left panel (where it lists all fields), then do a “quick values” - it should show you a pie chart with messages, if you then click on… I think… customise there is an option to show it as histogram. It should show you the time on the X axis with stacked values for both types of message.
Yes, I you do this based on for instance “source”, but the user wanted to do this specifically for the different matching of “message” search values, and that is blocked in the UI.
“Analysis features for this field have been disabled by the administrator.”
Osnap I missed that… actually if the customer really wants it, you could throw a pipeline rule/extractor/something on it that extracts the “type” of an event (e.g. indicator or problem) out and stores that particular bit of info in a new field, then you can do the graph over that particular field.