I’m sorry if I’m not in the right sub-group here.
Here’s the graph with the issue:
I have a second line across the bottom I can’t figure out how to get rid of…
Here’s a summary: I’m pulling docker logs with Loki from my mailcow container logs, and this particular chart is intended to show how often we’re getting hit with virus-laden emails. The logs will show “VIRUS_FOUND(2000.00)” when the rspamd adds that factor the mail scoring. Here’s an example line. I think I’ve obscured everything:
2024-12-03 08:53:26 #38(normal) <d5fc31>; task; rspamd_task_write_log: id: <XMCSC-UHODIXAUSOZJ-XMCBLSC@somedomain.com>, qid: <740729CA7E>, ip: 99.99.99.99, (default: T (reject): [2049.35/15.00] [VIRUS_FOUND(2000.00){},HFILTER_HOSTNAME_UNKNOWN(8.50){},R_DKIM_REJECT(8.00){somedomain.com:s=scph0517;},DBL_SPAM(7.00){wifizone.org:url;},IP_REPUTATION_SPAM(5.63){asn: 136052(0.40), country: ID(0.01), ip: 99.99.99.99(1.00);},BAYES_SPAM(4.46){99.91%;},LOCAL_FUZZY_DENIED(3.91){11:ad35d53c33:0.96:txt;},RBL_SENDERSCORE(2.00){99.99.99.99:from;},RBL_VIRUSFREE_BOTNET(2.00){99.99.99.99:from;},FROM_EXCESS_BASE64(1.50){},INVALID_DATE(1.50){},R_BAD_CTE_7BIT(1.05){quoted-printable;utf8;},HFILTER_HELO_IP_A(1.00){somedomain.com;},URI_COUNT_ODD(1.00){3;},R_PARTS_DIFFER(0.72){86.3%;},MV_CASE(0.50){},HFILTER_HELO_NORES_A_OR_MX(0.30){somedomain.com;},DMARC_POLICY_SOFTFAIL(0.10){somedomain.com : No valid SPF;none;},MIME_GOOD(-0.10){multipart/alternative;text/plain;},ONCE_RECEIVED(0.10){},RCVD_NO_TLS_LAST(0.10){},MANY_INVISIBLE_PARTS(0.05){1;},ARC_NA(0.00){},ARC_SIGNED(0.00){example.com:s=dkim:i=1;},ASN(0.00){asn:136052, ipnet:99.99.99.99/24, country:ID;},BCC(0.00){},DKIM_TRACE(0.00){somedomain.com:-;},FORWARDED(0.00){virussender@gmail.com;},FROM_HAS_DN(0.00){},MIME_TRACE(0.00){0:+;1:+;2:~;},MISSING_XM_UA(0.00){},RCPT_COUNT_ONE(0.00){1;},RCPT_MAILCOW_DOMAIN(0.00){example.com;},RCVD_COUNT_ONE(0.00){1;},R_SPF_NA(0.00){no SPF record;},SUBJECT_ENDS_EXCLAIM(0.00){},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 10077, time: 810.472ms, dns req: 48, digest: <8e84836ffbf05bdb090ec605aaab5191>, rcpts: <mrtest@example.com>, mime_rcpts: <mrtest@example.com>
Here is the query data:
{
"request": {
"url": "api/ds/query?ds_type=loki&requestId=SQR192_1",
"method": "POST",
"data": {
"queries": [
{
"datasource": {
"type": "loki",
"uid": "ce3orivya1hc0c"
},
"editorMode": "builder",
"expr": "count_over_time({container=\"mailcowdockerized-rspamd-mailcow-1\", network=\"mailcowdockerized_mailcow-network\"} |= `VIRUS_FOUND(2000.00)` | __error__=`` [$__auto])",
"key": "Q-ad8e83b9-7958-43f8-865e-de1a1c2bac1b-0",
"queryType": "range",
"refId": "A",
"step": "12h",
"legendFormat": "",
"datasourceId": 2,
"intervalMs": 900000,
"maxDataPoints": 618
}
],
"from": "1732622400000",
"to": "1732665600000"
},
"hideFromInspector": false
},
"response": {
"results": {
"A": {
"status": 200,
"frames": [
{
"schema": {
"refId": "A",
"meta": {
"type": "timeseries-multi",
"typeVersion": [
0,
1
],
"stats": [
{
"displayName": "Summary: bytes processed per second",
"unit": "Bps",
"value": 174234648
},
{
"displayName": "Summary: lines processed per second",
"value": 637783
},
{
"displayName": "Summary: total bytes processed",
"unit": "decbytes",
"value": 767658
},
{
"displayName": "Summary: total lines processed",
"value": 2810
},
{
"displayName": "Summary: exec time",
"unit": "s",
"value": 0.004405886
},
{
"displayName": "Ingester: total reached",
"value": 0
},
{
"displayName": "Ingester: total chunks matched",
"value": 0
},
{
"displayName": "Ingester: total batches",
"value": 0
},
{
"displayName": "Ingester: total lines sent",
"value": 0
},
{
"displayName": "Ingester: head chunk bytes",
"unit": "decbytes",
"value": 0
},
{
"displayName": "Ingester: head chunk lines",
"value": 0
},
{
"displayName": "Ingester: decompressed bytes",
"unit": "decbytes",
"value": 0
},
{
"displayName": "Ingester: decompressed lines",
"value": 0
},
{
"displayName": "Ingester: compressed bytes",
"unit": "decbytes",
"value": 0
},
{
"displayName": "Ingester: total duplicates",
"value": 0
}
],
"executedQueryString": "Expr: count_over_time({container=\"mailcowdockerized-rspamd-mailcow-1\", network=\"mailcowdockerized_mailcow-network\"} |= `VIRUS_FOUND(2000.00)` | __error__=`` [12h])\nStep: 12h0m0s"
},
"fields": [
{
"name": "Time",
"type": "time",
"typeInfo": {
"frame": "time.Time"
},
"config": {
"interval": 43200000
}
},
{
"name": "Value",
"type": "number",
"typeInfo": {
"frame": "float64"
},
"labels": {
"container": "mailcowdockerized-rspamd-mailcow-1",
"logstream": "stderr",
"network": "mailcowdockerized_mailcow-network",
"service_name": "mailcowdockerized-rspamd-mailcow-1"
},
"config": {
"displayNameFromDS": "{container=\"mailcowdockerized-rspamd-mailcow-1\", logstream=\"stderr\", network=\"mailcowdockerized_mailcow-network\", service_name=\"mailcowdockerized-rspamd-mailcow-1\"}"
}
}
]
},
"data": {
"values": [
[
1732665600000
],
[
2
]
]
}
}
],
"refId": "A"
}
}
}
}
…and the Panel JSON:
{
"id": 6,
"type": "timeseries",
"title": "Viruses Received",
"gridPos": {
"x": 8,
"y": 8,
"h": 8,
"w": 8
},
"fieldConfig": {
"defaults": {
"custom": {
"drawStyle": "line",
"lineInterpolation": "smooth",
"barAlignment": 0,
"barWidthFactor": 0.6,
"lineWidth": 1,
"fillOpacity": 0,
"gradientMode": "scheme",
"spanNulls": false,
"insertNulls": false,
"showPoints": "auto",
"pointSize": 5,
"stacking": {
"mode": "none",
"group": "A"
},
"axisPlacement": "auto",
"axisLabel": "",
"axisColorMode": "text",
"axisBorderShow": false,
"scaleDistribution": {
"type": "linear"
},
"axisCenteredZero": false,
"hideFrom": {
"tooltip": false,
"viz": false,
"legend": false
},
"thresholdsStyle": {
"mode": "dashed"
}
},
"color": {
"mode": "continuous-GrYlRd",
"seriesBy": "last"
},
"mappings": [],
"thresholds": {
"mode": "percentage",
"steps": [
{
"color": "green",
"value": null
},
{
"value": 30,
"color": "#EAB839"
},
{
"value": 80,
"color": "red"
}
]
},
"decimals": 0,
"fieldMinMax": false,
"min": 0,
"unit": "Viruses",
"noValue": "0"
},
"overrides": []
},
"transparent": true,
"pluginVersion": "11.3.0",
"targets": [
{
"datasource": {
"type": "loki",
"uid": "ce3orivya1hc0c"
},
"editorMode": "builder",
"expr": "count_over_time({container=\"mailcowdockerized-rspamd-mailcow-1\", network=\"mailcowdockerized_mailcow-network\"} |= `VIRUS_FOUND(2000.00)` | __error__=`` [$__auto])",
"key": "Q-ad8e83b9-7958-43f8-865e-de1a1c2bac1b-0",
"queryType": "range",
"refId": "A",
"step": "12h"
}
],
"datasource": {
"type": "loki",
"uid": "ce3orivya1hc0c"
},
"options": {
"tooltip": {
"mode": "single",
"sort": "none"
},
"legend": {
"showLegend": false,
"displayMode": "list",
"placement": "bottom",
"calcs": []
},
"timezone": [
"browser"
]
}
}
I hope I’ve provided enough for someone to point out my error… I’ve been jabbing it with a stick for over an hour.