It is my first post, so hi everyone.
1. Describe your incident:
I have a very simple stream, created on data sent by ncat - no rsyslog, journald, or any other log parsers:
* * * * * find /var/spool/postfix/deferred -type f | wc -l | ncat -u graylog.local 10500
It is working good enough to place a single number visualization on a dashboard. The problem is, it’s a string and I can’t find easy method to search for a particular value.
I was hoping for something like:
int(message): >15
and sililar good looking queries, but no, even with messages with text clearly above 15.
Then I tried something stupid:
for i in {15..800} ; do echo -n "message: ${i} OR " ; done
and placed the output without the last “OR” in search dialog on the stream page. You know what? It works (so it’s not stupid) not only in plain search box above, but also as conditions in alert definitions. Without any extractor. I don’t expect over 800 deferred emails and even if, it would not be instantaneous, so there will be plenty of “15 < message > 800” in between.
You can also make it shorter with NOT operator:
NOT (message: 0 OR message: 1 OR message: 2 OR message: 3 OR message: 4 OR message: 5 OR message: 6 OR message: 7 OR message: 8 OR message: 9 OR message: 10 OR message: 11 OR message: 12 OR message: 13 OR message: 14 OR message: 15)
2. Describe your environment:
-
OS Information: Red Hat Enterprise Linux 9
-
Package Version:
graylog-datanode-6.1.3-1.x86_64
graylog-server-6.1.3-1.x86_64
mongodb-org-server-7.0.9-1.el9.x86_64 -
Service logs, configurations, and environment variables:
n/a
3. What steps have you already taken to try and solve the problem?
n/a
4. How can the community help?
Did any of You had similar ideas? I did find large number of questions regarding data extraction and conditions from plain message fields. So there is it. Have fun.