Multi(-message) search --> multi-colour in the search histogram?


#1

Hi,

I just got a question I couldn’t answer: If I do a search on something that’s is a indicator, and then also something that is a real issue, example:

message: “indicator” OR message: “problem”

I get a nice histogram as usual, but the user wants to highlight the different search criteria in different colours in the histogram, to see if the indicator overlaps with the problem over time.

Is that possible in Graylog?
The standard search histogram seems to be mono-colour (but I wouldn’t know for sure)


(Tess) #2

As far as I know, this is definitely not possible.


(Ben van Staveren) #3

Yyyy…I think so. Sort of. You want to click the message field in the left panel (where it lists all fields), then do a “quick values” - it should show you a pie chart with messages, if you then click on… I think… customise there is an option to show it as histogram. It should show you the time on the X axis with stacked values for both types of message.

I think.


(Tess) #4

Rrreeeaaaalllyyy???

Huh! Now I wanna check that out! Darn me for not having a Graylog testbed at home…


#5

Yes, I you do this based on for instance “source”, but the user wanted to do this specifically for the different matching of “message” search values, and that is blocked in the UI.

“Analysis features for this field have been disabled by the administrator.”

It seems like it’s disabled for a good reason.
(https://github.com/Graylog2/graylog2-server/pull/4175)


(Ben van Staveren) #6

Osnap I missed that… actually if the customer really wants it, you could throw a pipeline rule/extractor/something on it that extracts the “type” of an event (e.g. indicator or problem) out and stores that particular bit of info in a new field, then you can do the graph over that particular field.


(system) closed #7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.