Log Query: Parse and Count by Parsed Field

createchange · March 13, 2022, 5:09am

Hello,

Pretty basic question here - just poking at Grafana for the first time after having heard much about it.

I configured a collector on VM, and have some logs. I am looking at fail2ban logs, and wondering how I can count by ip address. I wrote a basic parser, but can’t seem to figure out how I can pass the parsed ip address to the count_over_time function:

count_over_time({filename="/var/log/fail2ban.log"} | pattern "<date> <time> <thing> [<notsurenumber>]: <log_level> <service> Found <ip_address> <_>") by ip_address

This fails on account of a syntax error:

Query error
parse error at line 1, col 149: syntax error: unexpected )

I suppose I could just use the ad-hoc statistics, but that’s not going to work if I wanted to dashboard off of the query.

This is a sample log entry: 2022-03-11 16:29:44,702 fail2ban.filter [750]: INFO [sshd] Found 92.255.85.237 - 2022-03-11 16:29:44

Any advice is appreciated.

dannykopping · March 14, 2022, 6:20am

Hey @createchange - thanks for the question.

I believe you have a syntax error here; count_over_time() by (<labels>) is the correct syntax for this metric query (note the brackets around the labels).

createchange · March 14, 2022, 11:10am

I appreciate the response. Unfortunately, I am left with the same error message when trying your suggestion:

dannykopping · March 14, 2022, 11:48am

It seems you’re also missing a log range:

It should be count_over_time({...}[5m]) for example, if you wanted to count over a 5m range

system · March 14, 2023, 11:49am

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.