Hi,
I seem to be unable to understand some concept of pie charts in a dashboard widget.
I have a stream of messages, some of them have field A and some have field B (mutually exclusive, no message can have both fields). I now want to create a pie chart with the distribution of how many messages with field A compared to how many with field B. In essence the distribution of field A or B towards total count of messages.
I create an aggregate widget with metric 1 being “count field A” and another one (metric 2) with “count field 2”. Visualization is “pie chart”.
However, what I get is a widget with TWO pie charts, both being 100%.
What I want is ONE pie with i.e. 60% A and 40% B…
What am I doing wrong?
I am using Graylog 4.2.8 free edition, and I cannot find any trace of “quick value”…
Thanks, I openly admit when I am incapable. Saves lot of time…
Anyway. No, this is the result I get; I do want to have ONE Pie. The total pie represents the total number of messages, one part of that pie the number of messages with field A and the rest of that pie (obviously) the number of messages with field B.
Understood, so something like this?
I would duplicate it for you but I dont think i have the same fields
Yes, quite so. Is the trick the two times grouping?
I tried it but there will not even be a pie displayed…
Group1 is “Field A”, limit 15
Group2 is “Field B”, limit 15
Metric is “count” with no field, no name
Vis is “Pie chart”
@mosman
Been playing around in the lab I came up with this.
Yes
Check the time frame your searching, 5 minutes, 15 minutes, etc… maybe increase it.
Oh wait, I have netflow fields. Let me check real quick
Tnx. I want the percentage of IPv4 vs. IPv6…
Ok , one problem I don’t have Ipv_6 fields
here is my results for IPv_4
I actually did a global search for IPV6 and it came up empty.
EDIT; Sorry I upload the wrong pic, i just replaced it
Strange, does not work at all here. Your example does work, sort of. It shows me four portions of the pie. With different IP-Address groups.
To stay with that example; I’d like a pie that gives me the amount of ipv4_dst fields and the amount of ipv4_src fields. Yes, I know that that then must be a pie with 50/50 but that should illustrate the pie I want
@mosman
Ok this is my last one, I tried multiple ways of achieving this. Grafana is much easier
Last attempt
That the best I can do for ya
Bugger. Still an empty pie. I just checked that I have plenty of messages with either ipv4 or ipv6 fields…
If I do your example it still does not work as desired. It will give me the count of address pairs, i.e. 192.168.1.1-192.168.2.1 and 192.168.2.2-192.168.3.1 and the distribution in the packets.
But for ipv6_dst and ipv4_src plain nothing.
Il try more tomorrow, If I come up with something Ill post it for ya. Maybe someone else here has done it before.
Thank you anyway for that.
Hello,
Did some labbing, but was unable to create a widget that you want for the two fields. Long, long time ago there used to be a setting called “Quick Values”
Sort what was talked about here…
Some one else was looking for the same thing here…
I believe they move most of what you are asking into a enterprise version with Illuminate plugin. BTW its no longer called Enterprise version it is now called Graylog Operations.
Only thing I can suggest at this point are:
- Create two sparate Widegst , one for IPv4 and the other for IPv6
- if your under 2 Gb a day the license is free for the Enterprise/Graylog Operations. version.
- Last, Try working with Grafana it does have some nice dashboards for free but its a little more difficult.
Here is what I was referring to
Hello and thank you again. That confirms my “suspicion” a bit… Yes, I know of the thing “Quick Value” but they do not exist anymore, at least not that I see them. And yes, I did see the other posts and that did not help too…
Creating two widgets is not a solution since I cannot get the ratio between V4 and V6 this way. I already tried to set up an explicit field (is_ipv6) and the to count against that. However, I cannot get the full pie to represent the count of ALL messages and the pie content split between V4 and V6.
Looks like I have to change my topic title 
Have a separate field ip_type that contains either IP_4 or IP_6 Even your grandma can pie chart that! 
Well, unfortunately I am no Grandma nor will I ever be one…
But yes, that did the trick. Thank you a lot; sometimes you need that peek in the ribs to really get it.
Cheers
Good call @tmacgbay ,
I’ve been banging my head trying to figure this out. I created a pipeline which is kinda crude for testing.
rule " IP Type"
when
has_field ("nf_ipv4_dst_addr") && has_field ("nf_ipv4_src_addr")
then
set_field ( "ip_type", "IPV4");
end
Seams to work.
