Hey Niklas,
you are right with your observations. The statistical analysis
requires the value to be stored as an integer (or another numeric
type) in the index to work. If the used GELF library is not able to
send numeric type you'll have to use a fallback method: Extractors.
You can use an extractor (Type: Copy Input) to copy the whole input of
the field "count" and apply a numeric converter on it. This will store
it as an integer in your case.
Note that you might have to manually cycle the deflector (System ->
Indices -> "Maintenance" dropdown menu) to enforce a new mapping or
ElasticSearch will try to be smart and convert the integer back to a
string because it has the field "count" mapped as a string.
The field "line" is indeed handled specifically but is deprecated in
the current GELF specs.
Greetings from the other side of Hafencity,
Lennart
On Tue, Jun 3, 2014 at 3:42 PM, Niklas Grebe wrote:
> Hey folks,
>
> first of all thanks - you’re doing a great job with Graylog2!
>
> We’re sending messages via gelfj to a gl2 udp input stream for gelf
> messages. A raw message looks like this:
> {"host":"my.host","_customField1":"it","full_message":" (test:it)
> 31","short_message":" (test:it)
> 31","line":"53","version":"1.0","_customField2":"test","timestamp":"1401796573.67","_type":"stats","_thread":"main","level":"6","facility":"test_facility","file":"Logger.java","_count":"31","_timestampMs":"1401796573670”}
>
> _count is a custom field which has a aggregated count in it. The web
> interface says to this field ”Statistical analysis is only available for
> numeric field types.” which seems to be right because we can see in the tcp
> dump that there are quotes around this field. In gelfj there is a method for
> extended fields which casts them toString:
> https://github.com/t0xa/gelfj/blob/8ca278c0ea0f2ac9cd6db03e55f27631f4571002/src/main/java/org/graylog2/log/GelfConsoleAppender.java#L100
> So there is no proper way to extend fields to gelf which are numeric with
> this library, or did i missed something? I know that this is more or less a
> problem with gelfj but it’s in the first place in the library list for gelf
> logger on the graylog webpage: http://graylog2.org/gelf#libraries and i also
> found something interesting: The normal field line (which is also sended via
> double quotes like a string) is interpreted as a integer and we can do
> statistics with this field. Is this a special exception in the graylog2
> webui just for the line field in gelf messages?
>
>
>
> Greetings,
> Niklas
>
> --
> You received this message because you are subscribed to the Google Groups
> "graylog2" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to graylog2+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
