Unexpected behavior for handling numeric field

zoulja · January 21, 2019, 7:56am

I’m trying Graylog 3.0 and it seems it has some unclear behavior about detecting field type and managing it.
I extract request time from Nginx logs using grok pattern %{BASE10NUM:req_time},
Field extracted properly and for further analysis I’m trying to generate charts and statistics.

Expected result:
It’s possible to query logs by request time field
It’s possible to query logs by request time field value (for example requests took more than 1 second)
It’s possible to generate statistics for numeric type(including max, min, deviation, etc)
It’s possible to generate chart and customize it by max, mean, and so on

Actual result:
It’s possible to query logs by request time field
It’s possible to query logs by request time field value (for example requests took more than 1 second)
It’s not possible to generate statistics for numeric type(including max, min, deviation, etc), all those fields displayed as NA
It’s not possible to generate chart and customize it by max, mean, and so on - chart is not updated accordingly.

The same log with the same extractor can be analyzed as expected on Graylog 2.5.1

macko003 · January 21, 2019, 8:32am

maybe forgot mention to index your fields as number in elasticsearch
use elasticsearch mapping.
http://docs.graylog.org/en/2.4/pages/configuration/index_model.html
http://docs.graylog.org/en/2.4/pages/configuration/elasticsearch.html

zoulja · January 21, 2019, 8:37am

Thanks, I will check, but in both cases I use default out-of-the-box configuration and don’t customize Elasticsearch related settings.

Update: Yes, @macko003, you’re right, in good case this field is float, and in bad case it’s keyword.
Is there any way to change default Graylog configuration to avoid manual convert operations?

Update2: grok pattern can include field type, so it seems I have to use it

macko003 · January 21, 2019, 10:23am

Could you show how do you do it?
I think you missed it with the grok pattern.
As far as I know elastic handle every field as text. You have to override it with custom mapping. (I shared the link how can you do it.

zoulja · January 21, 2019, 12:00pm

Like this:
http://docs.graylog.org/en/3.0/pages/extractors.html
%{NUMBER:request_time;float}
After I changed this pattern I verified ES mappings and confirmed field has correct type

macko003 · January 21, 2019, 12:32pm

Thanks, it’s new for me!

system · February 4, 2019, 12:32pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Struggling with parsing number field Graylog Central (peer support)	7	1553	July 31, 2020
Forcing numeric fields Graylog Central (peer support)	7	7465	May 4, 2017
Graylog extractor data type problem Graylog Central (peer support)	4	882	September 9, 2020
NaN value for statistics Graylog Central (peer support)	2	743	March 10, 2020
Search Results with Numeric Extracted are Not Greater than Query Graylog Central (peer support)	6	4522	July 3, 2021

Unexpected behavior for handling numeric field

Related topics