On Graylog 5.0, Assume my log have two fields that are field_A and field_B, I want to create an event that detect the incoming message under 1 hours that the field_A has more than distinct values on these message. And I want to show the list of variant of field_B for distint field_A on the event.
On Filter & Aggregation of Event Definition, When I use the “aggregation of the results reaches a threshold”. Then group it by field_A and cardinality with filed_B it will show only groupby_fileds (field_A) and thier threshold.
If I use the “Filter has results”, it will show a lot of event against the original message.
How can I create the event that show both distinct field_A and varaint of field_B on one event?
I think you can not print a list of all values which happened in one field on your event message.
As an example
Message 1: field_1:a, field_2:a
Message 2: field_1:a, field_2:b
you want your event to contain field_1:a, field_2:(a, b)
correct?
As long as there is only a unique mesage, or a “group by field” you can add fields from your message in the “fields” tab into your message. But it needs to be unique - which is only the case if you have one message or a group by.
