GROUP BY

Hello!

I miss the GROUP BY feature in graylog. For example, I want to create an Alert, which alert me, if one ip fails to login 10 times the last 10 minutes.

Like in SQL, it wil be just a query like SELECT COUNT(*) FROM stream_ssh time > NOW() - 600 GROUP BY ssh_client;

 

 

Or a pie chart for 500 Errors by Hostname, e.g.

  • Guest
  • Apr 4 2017
  • Attach files
  • Jeremy McGee commented
    April 4, 2017 20:50

    This is really needed in Graylog. The net flow plugin is great. But, I would like to be able to group by to show what IPs are using the most bandwidth.

  • Cho Injoong commented
    April 4, 2017 20:50

    This feature is very highly needed to enhance usability of Graylog!!

  • Johan THOMAS commented
    April 4, 2017 20:50

    Yes, it's really a highly needed feature !

  • Tom M commented
    April 4, 2017 20:50

    +1

  • Binoj David commented
    April 4, 2017 20:50

    +1

  • Mike Modzgvrishvili commented
    April 4, 2017 20:50

    +1

  • Patrick commented
    April 4, 2017 20:50

    +1

  • Miloš Havlíček commented
    April 4, 2017 20:50

    +1

  • André Ignacio commented
    June 28, 2017 12:16

    +1

  • André Ignacio commented
    June 28, 2017 12:16

    +1

  • wenhao wu commented
    July 29, 2017 06:55

    This is really needed in Graylog,i think we can use ANTLR to implement the SPL ,so we can use    *| stats count(*) as "total" by action,controller  to analyze the log ^_^ 

  • Wellington Pinheiro commented
    July 31, 2017 23:29

    +1

  • Guy Knights commented
    October 31, 2017 17:12

    +1

  • Admin
    Lennart Koopmann commented
    October 31, 2017 18:03

    Hi everyone! This is coming out in v2.4 and the first beta is ready: https://www.graylog.org/blog/103-announcing-graylog-v2-4-0-beta-1