Discrepancy in display counts on Sources view #6502
Labels
Comments
|
Hi! So, starting in 3.1 Graylog is tracking the ingest time as well, for use with alerting. |
|
in relation, I have built a "better sources dashboard" that I've been using since 3.x. It would be a nice/simple fix to allow the Source page to be editable like a regular dashboard. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I have noticed when ingesting backlog(older timestamped data) that the "Messages per minute" line graph and "sources" data do not line up.
The Messages per minute appear to be correct for the ingest rate, but the sources breakdown below it only show messages for each type from within the time window via timestamp. This means in the last hour if you've ingested logs from 2 days ago, the data is not represented as "sources within the last hour".
I would prefer the log sources overview to use relative time to current, not relative time to the log sources for determining sources, if that makes sense.
Expected Behavior
Ingesting logs with a timestamp of 2 days ago within the recent hour should be represented in the sources count for the relative "1 hour" window.
Current Behavior
The sources display only shows sources which have a message timestamp within the last hour. This means anything older than the relative time window is not displayed- even though it was actually ingested during the past hour.
Possible Solution
Use indexed time or another method to query sources in the last hour rather than message timestamp field.
Steps to Reproduce (for bugs)
Your Environment
The text was updated successfully, but these errors were encountered: