Trying to create my first aggregation

Graylog Central (peer support)
1

Hello,

New to Graylog. Have recently installed Graylog (graylog-server-4.1.2-1, elasticsearch-7.10.2 on CentOS Linux release 7.9).

Trying to create my first aggregation for alerting purposes.

I have,

  1. Set up Stream

  2. Set up Pipeline using the stream

    1. Added a rule to split log lines into fields using key_value()

    2. Added a rule to convert selected fields into long using to_long()

  3. When I try to create an aggregation in search, I receive the following error.

elasticsearch-exception
elasticsearch-exception1411×621 46.8 KB

  1. When I check the type of the field I see that I have a combined type for the field ‘delayed’ which is both a string and a long.

Not sure where I should go from here. Suspect that I am missing something about elasticsearch types and indexes. If someone could point me in the right direction that would be great.

Regards,
Danny

2

Hello && Welcome

Looks like the field delayed can not be used for the aggregation with sum

What does your Pipeline/rules look like?
EDIT: What does your “Message Processors Configuration” look like?

3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.