Graylog2-server: Integers not recognized after upgrade to 2.0

Created on 13 Jun 2016  路  5Comments  路  Source: Graylog2/graylog2-server

Problem description

After upgrading to Graylog 2.0 i started having issues with the time-taken field in IIS logs no longer being recognized as an integer. The logs are parsed to GELF and sent in VIA nxlog. I have added an extractor to convert the field to a number and store as an additional field. This works for most instances but I still have a few servers whos logs never get the additional post-extractor field. No changes were made to the nxlog configs and upgrading to GL 2.0.1 and 2.0.2 has not fixed the issue.

Steps to reproduce the problem

1.Convert IIS logs from CSV to GELF using nxlog and send to Graylog

  1. In the list of fields available in the serch results drop down time-taken and then choose generate graph.
    3.I am met with a message saying that only numeric values can be graphed although I have looked through the time taken values and all appear to be integers.

Environment

  • Graylog Version: 2.0.2
  • Elasticsearch Version: 2.3.2
  • MongoDB Version: 3.2.6
  • Operating System: CENTOS 7
  • Browser version: Chrome

thank you for any help you can provide,
Jonathan

elasticsearch question
Source
picture jcspino

Most helpful comment

A t least I think this information should be added to docs.

ICYM: http://docs.graylog.org/en/2.0/pages/configuration/elasticsearch.html#custom-index-mappings

picture joschi on 14 Jun 2016
😄1 👍1

All 5 comments

Just to provide more information, I am seeing the same issue (time-taken cannot be graphed) on servers that are being configured using the Graylog Collector and NXLog. On these servers the raw IIS log data is being sent to graylog and then a Copy Input Extractor is being used to convert the csv string into fields. I get the same error when clicking on Generate Chart (Could not create field graph.
Field graphs are only available for numeric fields.) Adding a numeric converter to the field did not resolve the problem.

jcspino picture jcspino on 13 Jun 2016

Attached
GL Errors.txt
are the errors I see in the server logs if they are of any help. Some are from manually trying to generate a graph and some are from a dashboard with widgets using the time-taken field as a number.

jcspino picture jcspino on 13 Jun 2016

You can explicidly define ES template for numeric field.
By default there is used some strange auto-detect logic, which sometimes behaves wrongly.

Example template:

{
   "template":"graylog2_*",
   "mappings":{
      "message":{
         "properties":{ 
            "double_field":{
               "index" : "not_analyzed",
               "type" : "double"
            },
            "long_field":{
               "index" : "not_analyzed",
               "type" : "long"
            }
         }
      }
   }
}

A t least I think this information should be added to docs.
And in the feature Graylog should have some GUI for configuring custom fields behaviour.

hc4 picture hc4 on 14 Jun 2016

A t least I think this information should be added to docs.

ICYM: http://docs.graylog.org/en/2.0/pages/configuration/elasticsearch.html#custom-index-mappings

joschi picture joschi on 14 Jun 2016
😄1 👍1

hc4 - Thank you very much, this is exactly what I needed and has resolved my problem.

joschi - "egg on face" i skimmed right over this section during setup, thank you for your help and a GREAT piece of software.

jcspino picture jcspino on 14 Jun 2016
Was this page helpful?
0 / 5 - 0 ratings

Related issues

1tft picture 1tft  路  3Comments
jalogisch picture jalogisch  路  3Comments
bpbp-boop picture bpbp-boop  路  4Comments
ianling picture ianling  路  4Comments
hc4 picture hc4  路  4Comments