Query against float value, getting all results not just queried

Graylog Central (peer support)
1

I am logging disk utilization as a decimal representation of a percentage of 1. Right now, a disk I’m monitoring is at 79%, so it comes in as 0.79. (I’m pretty sure it’s numeric and stored as float: how can I confirm? It doesn’t have quotes in the incoming “message” json)

I’d like to chart a trend of nightly spikes of 90%, and the name of the application is sysmetrics, so I:

Query: application_name:sysmetrics details_disksda3percent:>0.85

However, what results is all the data points:

all%20the%20data

instead of just the spikes. Any ideas what I’m doing wrong? (Also a tip on the data type: Fwiw, when I create an Alert on this field contents, I am not given gt as an option, only exact match: Maybe that’s an indicator that it’s a string value?)

2

Yes.

You have to check the Elasticsearch index mapping for that field:
https://www.elastic.co/guide/en/elasticsearch/guide/2.x/mapping.html
https://www.elastic.co/guide/en/elasticsearch/reference/5.6/indices-get-mapping.html

I’d also recommend creating a custom Elasticsearch index template for your messages:
http://docs.graylog.org/en/2.4/pages/configuration/elasticsearch.html#custom-index-mappings

3

Query: application_name:sysmetrics details_disksda3percent:>0.85

You should Query like

application_name:sysmetrics AND details_disksda3percent:>0.85
4

Shoot… You’re right @jan! Hopefully it was just a copy/paste error on my part, but maybe not - - good catch!

5

Thanks @jochen. You’re right:

          "details_disksda3percent" : {
            "type" : "keyword"
          },

Looks like most of all of my mappings are “keyword” with a couple exceptions that I initiated the index with of long. :frowning: I’m off to learn about re-mapping. I think Elasticsearch indices cannot be changed and that one is better off starting a new index? …

6

(Largely) correct. The mapping of an existing index can only be changed in a compatible manner (e. g. long to double), which pretty much restricts the possibilities.

I’d recommend starting new indices.

7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.