Views' widget metric to be the addition of two field sums

dleguizamon · August 7, 2019, 9:00am

Hi all,

Note: Using Graylog 3.0.2+1686930

Basically, a CEF log message includes (among others) two values, in and out, to represent the byte count in both directions. All I want is to add a new column to a table widget in Views that displays the following metrics:

sum(in)
sum(out)
sum(in)+sum(out)

The latter I have issues with.

After much reading and testing, I went the path of Pipelines and created a Pipeline rule that will read in and out and add them together, believing the set_field would allow me to create a new field (d’oh).

For illustration, here is the Pipeline rule:

    rule "get_total_bytes"
    when
       has_field("in") && has_field("out")
    then
       let total = to_double($message.in) + to_double($message.out);
       set_field("total_bytes",total);
    end

Tried using extractors, but the log has been appropriately extracted by the CEF decoder. Since the value I want is not within the log structure and I would prefer not to alter any other message field, I cannot see how extractors would help.

So, any ideas on how to display “sum(in)+sum(out)” in a Views Widget?

dleguizamon · August 9, 2019, 8:08am

After further reading it appears I had to change the “Message Processors Configuration” to the below. Then the pipeline rule above worked.

#	Processor	                         Status
1	AWS Instance Name Lookup	 active
2	GeoIP Resolver	                 active
3	Message Filter Chain	         active
4	Pipeline Processor	                 active

macko003 · August 11, 2019, 10:10am

try to convert to string the total before you write it to field
or try to map the field to double in elasticsearch

dleguizamon · August 13, 2019, 12:32pm

The pipeline itself works fine. My error was that I connected the pipeline to a stream other than all messages. By doing this the pipeline could not have been applied to the other stream as the message is only routed to other streams at the message filter chain.

Anyone please correct me if I’m wrong.

So by connecting this rule to all messages stream, the new field was created and persisted across the streams.

system · August 27, 2019, 12:32pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.