Hi Casey, That doesn't look right, would you be so kind as to create an issue in our Github repository? Here's the link: https://github.com/Graylog2/graylog2-server
Thank you! Edmundo > On 08 Aug 2016, at 21:38, Casey Russell <[email protected]> wrote: > > Group, > > I'm using Graylog to parse logs from our Juniper SRX firewalls. Telling > the SRX's to log to the Graylog input in "structured log" format does a great > job of automatically capturing the fields without a lot of need for building > extractors. > > My question centers around the behavior of the "Quick Values" pie > graphs. When I analyze the flow logs from my firewall and build a graph of > opened sessions centered around "source_address" (source IP), I'll get a pie > graph and a data table (obviously). The problem is this. Often times, when > creating the query, there may be 100 or more unique values for > "source_address". > > When you create a "Quick Values" chart, the pie graph is built from the > numbers and percentages in the data table (maximum of 50 IPs). But the > percentages in the data table, are the percentages based on the entire query. > So you can end up with your top IP showing up as 18% in the data table, but > taking up roughly 70% of your pie graph. It's seriously distracting. Has > anyone hacked about a way to normalize this. Or build a query such that you > limit unique values in a field to the top x number of results? > > I've included an image, if the forum allows it. (you'll notice I anonymized > the first two octets of the IPs, don't let that throw you) > > -- > ***************************** > Casey Russell > http://www.caseyrussell.com > [email protected] > ***************************** > > -- > You received this message because you are subscribed to the Google Groups > "Graylog Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/graylog2/CAP2khRe_7%2BjGfB2AzctD%3DG-cRkfewGAkQE1EgpckV6p8-Sca%3Dg%40mail.gmail.com. > For more options, visit https://groups.google.com/d/optout. > <Graph_discrepancy.PNG> -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/B92E7F4C-DE52-4E93-B55D-378D52817B65%40graylog.com. For more options, visit https://groups.google.com/d/optout.
