I know it is little bit late, but I had a similar requirement and solved in this way:
1. related events occur relative short after each other (i.e. minutes, seconds) I created a filter plugin for drools and set up a drools fusion rule. The facts for the rule were cached in memory. I set the priority of the filter higher than the stream matcher and only applied the rules to that stream. the rule consequence created additional fields on the message which I could parse later via alerts. the problem / shortcoming here is to keep all interesting messages in memory (and on a single node) 2. related events occur rather (time-wise) separate from each other I created a filter plugin for drools (works without drools too) for that message (logout in your case) and as a rule consequence I looked up the preceding message (login in your case) via http rest. Again I created additional fields on the message for later manipulation. 3. related events occur rather (time-wise) separate from each other and involve some complex logic I created a stream for the respective messages and send the output to JBoss DroolsFlow which triggered a state machine workflow. All events to come would then trigger states which I could react upon in the workflow. In the end the workflow produced a new message for Graylog2. all involve some kind of coding Maybe that helps. Regards, Ronald On Monday, October 13, 2014 at 10:23:54 PM UTC+2, [email protected] wrote: > My need is to correlate two events for following purposes > 1. find the duration from event 1 to event 2 like user logged in at time 1 > and user logged out at time 2 - duration user was connected (t2-t1) > 2. Secondly, event A has part of the information and part of the > information is coming in event B - which the two together makes a full > event. > > So in a nutshell is there some event correlation facility available in > graylog2 - log analysis. Or how should I go about doing this with graylog2 > 0.90 version. > > I was looking into Drools Fusion for event processing - but not getting > anywhere with that! > > Thanks > -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
