Suggestions for Long Term trend analysis

BlueTeamNinja · July 3, 2019, 4:28pm

Hey all,

What is the suggested practice for storing / indexing long term metadata?

I have several hourly, daily, weekly and even monthly dashboards - but in some cases, like Firewall traffic - I don’t want to store a million messages per day for a year. I only really need the full message for a few days, however I’d like to keep an eye on trends and report on KPIs quarterly or annually.

I’d rather summarize week by week and have the ability to simply produce the quantities.

Is there a way to store the count of a search query somehow, then index that message for a year? Is anyone else doing this? Things like DNS, webserver logs, firewall logs produce huge quantities - and I only really need the quantity after a certain period of time.

jan · July 3, 2019, 4:34pm

He ya,

not yet - but upcoming Graylog version will have that. That you can correlate and save the correlated data as a new message. Stay tuned for the next release!

Currently you would need to create the denser messages on processing saving it in a different index and keep that longer.

BlueTeamNinja · July 3, 2019, 6:16pm

Cool. I’ll watch for the new features. Thanks as always, @jan

system · July 17, 2019, 6:16pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Fronting static dashboards? Graylog Central (peer support)	9	836	April 9, 2018
Working with non-timestamped data? Development	6	1136	November 27, 2017
Long time Statistics with Average Graylog Central (peer support)	2	695	January 3, 2019
Dashboard retention > source logs retention Graylog Central (peer support)	2	381	July 13, 2018
Graylog "today"in search Graylog Central (peer support)	1	449	April 11, 2019

Suggestions for Long Term trend analysis

Related Topics