Regarding count lookup of newly defined fields with log stash

I am collecting SNMP through logstash and creating a new field forti_fw_sessioncount through mutate-rename function.

Looking at the log, 791 cases of forti_fw_sessioncount came in, but only 29 cases were shown when I checked with 'visualize' in the same time period. How do I make 791 cases appear normally?

11682×887 106 KB

21073×325 6.52 KB

Are you sure the timeframe for the visualisation is correct?

yes that is correct Strangely, when I look at 'visualize', only values ​​between 28 and 30 keep appearing. Why is this like this?

As the search time increases, the number of cases seems to increase accordingly. It seems that the number of 'forti_fw_sessioncount' is not displayed, but the number of snmps.

I think you are looking at two different things.

The left side of your screenshot shows a document where the field fort_fw_sessioncount has the value of 791.

In the right side you have a visualization that is a Unique count of the values that the field fort_fw_sessioncount have, this means that in your index, the field fort_fw_sessioncount has 29 different values in the documents where the host is 10.0.0.1, one of them is the example you shared where it has the value of 791.

For example, if you have only five documents for the host 10.0.0.1 with the following values for fort_fw_sessioncount:

{ "_id": "1", "fort_fw_sessioncount": "791", "host": "10.0.0.1" }
{ "_id": "2", "fort_fw_sessioncount": "791", "host": "10.0.0.1" }
{ "_id": "3", "fort_fw_sessioncount": "792", "host": "10.0.0.1" }
{ "_id": "4", "fort_fw_sessioncount": "792", "host": "10.0.0.1" }
{ "_id": "5", "fort_fw_sessioncount": "792", "host": "10.0.0.1" }

Your visualization with Unique count for the field fort_fw_sessioncount will show only 2, because you would have only 2 different, 791 and 792.

What you expect to see in the visualization?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.