Group,
I'm using Graylog to parse logs from our Juniper SRX firewalls.
Telling the SRX's to log to the Graylog input in "structured log" format
does a great job of automatically capturing the fields without a lot of
need for building extractors.
My question centers around the behavior of the "Quick Values" pie
graphs. When I analyze the flow logs from my firewall and build a graph of
opened sessions centered around "source_address" (source IP), I'll get a
pie graph and a data table (obviously). The problem is this. Often times,
when creating the query, there may be 100 or more unique values for
"source_address".
When you create a "Quick Values" chart, the pie graph is built from
the numbers and percentages in the data table (maximum of 50 IPs). But the
percentages in the data table, are the percentages based on the entire
query. So you can end up with your top IP showing up as 18% in the data
table, but taking up roughly 70% of your pie graph. It's seriously
distracting. Has anyone hacked about a way to normalize this. Or build a
query such that you limit unique values in a field to the top x number of
results?
I've included an image, if the forum allows it. (you'll notice I anonymized
the first two octets of the IPs, don't let that throw you)
--
*****************************
Casey Russell
http://www.caseyrussell.com
[email protected]
*****************************
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/CAP2khRe_7%2BjGfB2AzctD%3DG-cRkfewGAkQE1EgpckV6p8-Sca%3Dg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
