Dashboard : display the sum of several counts

Florent_Fauvin · March 14, 2018, 10:40am

Hello,

I would like to display in my dashboard the sum of several counts.

For example, today, my search returns the authentication errors for SSH :

result: "authentication failure" => count:3
result: "Authentication FailureS" => count:5
result: "authentication failed" => count:1

I would like to display in my dashboard a line chart representing "Authentication errors" which is the sum of counts above.
For today, "Authentication errors":9 (9=3+5+1)

How can I do that ? Is it possible ?

Feel free to ask me more information if you wish,

Thank you for your help,

Florent

lfroment-datasweet · March 14, 2018, 12:58pm

Hi Florent,

that should be possible in several ways, depending on how your data is stored in ES. Are your 3 results stored in the same field?

result: "authentication failure" => count:3
result: "Authentication FailureS" => count:5
result: "authentication failed" => count:1

As I suspect, you are french speaking, maybe we can arrange a private chat so that I can clearly understand what can be done.

Florent_Fauvin · March 14, 2018, 3:46pm

"As I suspect, you are french speaking"

Oh shame ! Yes I am !!!

"Are your 3 results stored in the same field?"

No. There is one result tag for one syslog log.

"maybe we can arrange a private chat so that I can clearly understand what can be done."

Yes Ok. How can we do that?

Florent !

Florent_Fauvin · March 14, 2018, 4:28pm

I bring details below:

I have different servers which have different error messages for SSH syslog logs.
When I parse there logs and fill a "result" field, I get different messages for the "result" field :

result: "Failed password"
result: "authentication error"
result: "authentication failure"
result: "authentication failures"
etc.

My goal is to display a line chart "SSH errors".
=> So, I would like to sum the counts of these different error results in a common count.

Is it possible ??

Florent !

Florent_Fauvin · March 20, 2018, 5:27pm

SOLUTION :

Mon erreur était de sélectionner dans X-Axis : Aggregation/Terms:result

La solution est donc de faire une recherche sur les terms de result que l'on veut aggréger, puis de visualiser sur X-Axis : Aggregation/date Histogram:@timestamp

Merci à lfroment-datasweet - Lionel Froment !!

system · April 17, 2018, 5:27pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.