Searching for Numbers

I’m attempting to write a very simple query.

I want to know when a disk is greater than 80% full. We have metricbeat reporting system.filesystem values and used_pct reports a disk used percentage per disk mount. Perfect.

However I can’t seem to query this used_pct number. It’s reported as a Float(long) but if I try to search for it using used_pct:>0.8 I get no results (we do have logs with values above 0.8). It appears that the search doesn’t understand anything but 0 and 1, it seems to be treating the used_pct value as an integer. I can do searches of >0 and <1 which return all logs. There’s nothing in the Graylog documentation or the Lucene documentation about specifically defining a number type in the query.

I don’t really want to write a pipeline for these as we get these logs every few seconds and it’ll add a lot of processing to something that should work with none.

What am I missing? (Graylog 3.3)

1. your graylog version is very, very old. I suggest an update
2. I guess your metricbeat stores the values in a separate field. Can you find out the type of that field? Is it a keyword, string, double, …? You might to change that. You can see the type with click on the name of the field, not the value, on the top of the menu. To change the type you should have a look here

Hi, our version of Graylog is only a couple of years old, we can’t update due to the change in licensing conditions in v4 and 5. We run IT as managed services for various companies and the latest licence places a lot of requirements on us if we do that.

As stated in the opening post the field type is Float(long), which is correct.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.