Question on stacked graphs

Hi there,

I am looking for a way to create a stacked graph with two metrics, a count of ‘A’ and a count ‘B’, similar to a histogram but with two values (one from each search).
I can see from the docs that I can create field graphs from a numerical value and combine two field graphs to make a stack graph (this works fine for numerical values).
What I would like is to create the same but from two searches, I don’t think this is currently possible.
Right now I am looking to workaround this through rsyslog/logstash (which I use to feed graylog) so that logs containing ‘A’ or ‘B’ in the messages get an additional numerical field ‘contains_A’ -> 1 ‘contains_B’ -> 1, which I can then use in graylog dashboards to create my two field graphs and combine them into a stacked graph.

Is this the only way for now, or is there some other way I am missing out?
thanks
azul

Hi @Azul,

I am not 100% sure I understood what you want to archive, but from what I understood I would recommend to upgrade to 3.2, where would do something like this:

As you can see, I add two metrics here. One with cardinality of action and another of maximum of took_ms.

Is it something like this you were going for?

But I have to warn you that I may have other limitations. You can not stack two different types of graphs like Line and Bar.

Best regards,
Konrad

Hi @konrad,
nice example, but I didn’t find documentation of metrics in docs, like function card(). How I can properly use this function?

How about another functions?

stddev()
sumofsquares()
variance()
percentile()

It would be great to have better documentation of widgets and all it’s function. Please consider update documentation, and create webinar or some cookbooks.
Thanks.

Hey @shoothub,

the first steps to have a better documentation were already done.
https://docs.graylog.org/en/3.2/pages/searching/widgets.html

The meaning of the functions are still missing, but you can have a look on the elasticsearch docs for that until we have something: https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-metrics.html

I hope that helps.

  • Konrad

Hi @konrad,

Thanks I will check them.

Thanks Konrad,

I was on 3.1 and just upgraded to 3.2, wow that’s quite a UI improvement there.
I had a go at those new dashboards but looking at your example, I don’t think it still does what I’m trying to achieve.

I simply want to add a count() of two different ES queries onto the same dashboard/graph.

This is just an ugly example of how I’m working around this,
in logstash,

      # query for errors/exceptions....
      # and add a numerical value that we can use to map in graylog
      if [syslog_message] =~ /(?i)error|(?i)exception|(?i)fail|(?i)abort/ {
        mutate {
          add_field => { "contains_error" => 1 }
        }
      } else {
        mutate {
          add_field => { "no_error" => 1 }
        }
      }

and then on graylog I built a dashboard using those two new fields,

he @Azulinho

the mentioned adding of a field is how I would do that in Graylog. With the processing pipelines.

That is by far the best solution that also is in the end saves cpu cycles while showing the graph.

Thanks Jan,

Heads up, I’m using logstash instead of graylog for the parsing and munching of my logs mostly as i haven’t found a straightforward way to define all my graylog pipelines in code.
So instead I use the helm/stable/charts for logstash, graylog and friends. The logstash chart allows for defining the pipelines and grok patterns in code easily.
Maybe a ticket for the backlog? Support for defining graylog objects through a helm chart would be awesome.

Hi @Azulinho
If you use ansible, you can use this nice ansible module from ReconInfosec to create pipeline and rules from playbook.


thanks @shoothub I might actually look into wrapping these into an init container and PR it to the helm chart upstream