When you go to look at stuff in My Content or Shared Content in the Content Packs view of Log Insight, you can't delete any content you don't want from there. You have to first open up the dashboard, query, extracted field, etc. in either the Dashboards or Interactive Analytics view. This feels like an unnecessary step. You should probably be allowed to delete things directly from the Content Packs view.
Currently there are only some few time ranges possible: 5 minutes, 1h, 1d, 2d and custom. With custom only possible to define a fixed range. It would be nice to have a greater range of options. I love how Graylog is managing that. You can, for instance, define "Since Midnight" and then getting all message... well you guest it... since midnight. Or "Last Week", Today, Last Month ... you get it. For starting it would be ...more »
Please see the attached screendump. The trend chart is showing a downwards trend. When I hover the mouse over the icon it shows that there is not difference in past and present trend/the trend is so small that there is little to no difference in the trend.
This is misleading in the sense that the trend is almost non existing
Query lists can get quite large with dozens or hundreds of items inside. Allow the user to sort the query list by result. E.g. if a query returns "Has Results" show them on top. This makes it easier to focus on the relevant results. In addition the title bar of a query list shall display the amount of queries. Once the user has executed them (green play button), also display the amount of queries with "Has Results". ...more »
When using the API to perform a query, we are unable to use extracted fields are constraints when defining the query.
NOTE: Although the query returns extracted fields, it does not accept extracted fields.
How can I log the logins from the administrator and other users on the LogInsight user interface and dashboards?
I want to be able to make more advanced (PIQL?) queries to LI. For example: 1. Apply functions (i.e. regex, arithmetic, logic, type conversion) on one or more existing fields, i.e. a. sum: fieldA + fieldB b. fieldA OR fieldB c. REGEX(fieldA, pattern) d. CAST('10.2' AS DECIMAL) e. CAST(SUBSTRING(fieldA, 0,10) AS DATETIME) 2. Create custom fields: a. DATE() AS today b. expressionA - expressionB ...more »
would be great if we could use the same filters as in "interactive analytics" for "new data set". At the moment there are just a few fields available. For example we would like to create a data set for some users so that they can only see events where "text"-field matches a regex query or certain words or e.g. the "event_type" field is a certain type. Custom extracted fields are also not available for data set filters. ...more »
We would like to add some conditions on the query. Today we have our monitoring which is working with codes as "200" to "399". So ours probes are switching codes all time, sometimes with a very little time between changes. The aim of this feature request is to provide a way to display events according to some conditions like : - if my field A is containing "200" - if in the following 30 minutes, the field A is switching ...more »
We would like to be able to enrich log records with info from an external sources (add custom tags for incoming/existing logs based on a query to an external service) like vROPS does.
a. Query GeoIP Web Service for IP’s location
b. Query CMDB via HTTP/LDAP for additional information (e.g. customer name, related services, server role, environment ….)
Today, when performing a query that takes a long time, we display a progress bar and a pause button where the log messages are displayed. If a query takes longer that several seconds to complete, the vRLI UI should offer tips while the query is completing. For example.. "Your date filters include X days and Y events, you may want to consider reducing the length of time..." "Your filters do not include a hostname, you ...more »