Is there a way to do a search in graylog2 and only return distinct results for a given field? What I'm trying to accomplish is a stream or dashboard widget that will give me the number of IIS errors from distinct ip addresses.
Asked
Active
Viewed 5,779 times
3 Answers
1
One way is to
- extract the ip address as a field (ip_address),
- search for IIS errors
- In the search results message fields, on the right, use ip_address "quick values" to get the count of errors for a specific ip address
Dinesh Bhat
- 106
- 4
0
the approach to see the distribution of count-of-errors per ip via "quick values" is good. For a hint how to go about uniqueness/distinct ip addresses or any value, "card()" for cardinality can be used in graylog. But aggregation can be done in other ways.
To get the number of errors-per-ip in a Data Table, just add the rows and do a count() over them and restrict the search query to http_response:>=500
wbob
- 431
- 3
- 9
-1
If it's a field, then "IpAddress:111.111.111.1" would search for all logs with 111.111.111.1 as the ip address.
ejw
- 7
- 2
-
this q is about _distinct_ values – Dave Kielpinski Mar 25 '20 at 23:41