-1

I just started working with graylog and I have some issues. Can I write a query that will bring me logs with unique identifier?

For examples I have logs with op_id and loan_amt and I want to get sum of loan_amt from all logs. Here comes the problem : some logs may share same op_id and my sum will not be correct because will add plenty times the loan_amt from logs with same op_id

Can you help me, please?

Nicusor S
  • 1
  • 2
  • So your unique identifiers (op_id) aren't unique? – joschi Apr 24 '18 at 11:33
  • They are unique for request, but I can modify loan_amt and it sends the same log message, same op_id, different loan_amt. – Nicusor S Apr 24 '18 at 11:49
  • So is `loan_amt` some kind of unique identifier? If not, you should take care that a specific `op_id` is only used once. – joschi Apr 24 '18 at 13:13

1 Answers1

0

If I understand correctly you will need to further narrow down your search criteria to filter out duplicate log entries.

You can use the GrayLog search query language to do this.

Try to find fields where duplicate logs differentiate from each other and then create a filter to exclude one from your results.

For example something like this:

source:hostname.that.logs.loans_amt AND LoggerName:your.logger.that.logs.loan_amt

Chris
  • 958
  • 8
  • 19