Selecting sources for aggregation in 3.2.4

Hi All,

I’m having a hard time understanding how sources selection works. Right now, I’m after the most basing chart: the number of messages coming in from servers connected. However, I’d like to limit the chart to just show me N, say 5, noisiest servers.
By default the graph tries to show all (or a majority), but with 50+ servers the graph becomes incomprehensible. I’ve seen Sources Tab in Graylog 3.2.1 thread and I thought that’s the answer, but my aggregation behaves not as expected.
To illustrate, if I choose a single source, that indeed show me just the noisiest single server.
However if I increase the sources number to “2”, the server list jumps to 18 and the selection seems random:

aggregation21649×789 118 KB

So, my questions are:

1. What’s up with selecting sources this way? Is what I’m seeing expected?
2. What’s the recommended way to limiting data sources to be taken into account, if I want to always display 5 or 10 noisiest servers for a given search over a time period?

Regards,
Mike

ps. We’re seeing this on Graylog 3.2.4+a407287 (AdoptOpenJDK 11.0.6 on Linux 5.3.0-40-generic) / Ubuntu 18.04.4 LTS; filebeat is the main source of data into Graylog.

Hey @coderamblings,

thanks for your post, let me explain the underlying logic.

The column field configuration “Number of values” relates to each row pivot. For example:

• The “Number of values” for the column field source is 2
• The two sources with the highest amount of messages for timestamp X are A and B
• The two sources with the highest amount of messages for timestamp Y are B and C

In this case the chart legend will contain the sources A, B and C.

We understand that we can clarify this configuration option. There is currently no way to limit the total amount of all categories displayed in a chart, but we plan to add this feature.

Best regards,
Linus

I see. Thanks for the explanation!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.