Sorting by number fields Not Working

PlayfulDragon · January 23, 2024, 7:48pm

When firewall logs come in, I use an API call to pull in an IP Abuse Score (0-100). I am trying to build a dashboard to list the destination IPs and their score, sorted on their IP Abuse Score. i.e., put the IP with the highest score at the top, lowest score at the bottom of the list.

I have the widget created, and I have set it to sort on the IP Score in descending order. However, it is not treating the field as a number in the way it sorts. What I mean is; it puts anything that starts with a 9 first, then 8, then 7 and so on.

I end up with a list sorted as such, as an example:
9
8
4
25
2
15
1

Is there something special I need to do to get Graylog to treat the field values as true numbers in its sort?

Thank You…

Joel_Duffield · January 23, 2024, 9:06pm

Sound like it’s storing it as text not a number. If you click the field name what field type does it say at the very top of that pop up menu?

PlayfulDragon · January 23, 2024, 10:20pm

Looks like it is seeing it as a number.

It shows:
DST_IP_SCORE=long

patrickmann · January 24, 2024, 8:48am

Possibly this field changed data types within the time range you are querying.
Please try this:

manually rotate the related index
scope the query to messages that came in after rotating

Does the sorting problem still exist?

PlayfulDragon · January 24, 2024, 3:20pm

I rotated the index this morning, shortened the time range, but the problem still persists.

patrickmann · January 24, 2024, 3:44pm

What version of Graylog and Elastic/OpenSearch are you running?

PlayfulDragon · January 24, 2024, 4:34pm

This is a new install from about a week and half ago.

Versions Installed:
Graylog Server : 5.2.3-1
opensearch : 2.11.1
MongoDB : 6.0.12

patrickmann · January 24, 2024, 5:12pm

I am beginning to suspect a bug, since this is the second report.
I have filed an issue and am following up with developers. Stay tuned.

patrickmann · January 25, 2024, 9:49am

I believe you are running into a limitation of the table widget: If you group numeric and non-numeric fields, then you cannot sort those columns numerically.
The workaround is to not group the numeric column you wish to sort on.
We’ve added a work item to improve this.

PlayfulDragon · January 25, 2024, 3:10pm

I do not believe that is it. I just modified the data table so that the only thing being reported is the field in question and the sort is still not working.
Here is what I have:

patrickmann · January 25, 2024, 3:41pm

Right - I can reproduce it myself now. Sure looks like a bug. We’ll investigate it - should have a pretty high priority. Thanks for reporting.

system · February 8, 2024, 3:41pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Graylog 2.3.1 not able to sort query by numeric field. 500 error Graylog Central (peer support)	1	1080	November 14, 2017
Message column sort not working in Graylog 3.1.2 Graylog Central (peer support) sidecar , winlogbeat	4	1011	November 1, 2019
Sort additional metrics when sort timestamp is enabled not working Graylog Central (peer support)	4	279	May 16, 2023
Search field:<value doesn't give the expected results Graylog Central (peer support)	11	1853	January 28, 2019
Sorting on custom date field, error 500 Graylog Central (peer support)	2	1032	October 8, 2018

Sorting by number fields Not Working

Related Topics