Histogram issues with number fields

[RichH]

I am parsing syslog data from an ASA to monitor VPN.
I've updated the plugin from https://exchange.nagios.org/directory/A ... ng/details to match my filtering.
I've got most of it working but I can't get histograms of transmit / receive to work.
At first I was getting a casting exception that was giving me a full error of the two types, unfortunately I didn't save that.
I tried mutating and that didn't work, tried mutating to a new field and got the same.

So then I tried adding an elasticsearch script to the dashboard xml, which got rid of the casting error but left me with:
FacetPhaseExecutionException[Facet[0]: [interval] is required to be set for histogram facet
The query that generated that error is attached.

query-hist-bxmt.txt

After that I tried modifying my grok pattern to be set for type int. Now I'm seeing ClassCastException with no additional detail.
Also attached is the current dashboard json.

VPN_Sessions_v4.txt

This is for a POV so any help is greatly appreciated.

[RichH]

So I was able to fix this via mutate/convert, not sure why it didn't work the first time.

New question though.
Is there a way to use field values to create a query dynamically in the dashboard json?
IE. The current graph shows bytes xmt per interval using @timestamp and value field bxmt, but the queries match VPN disconnect types. These types are all known and useful for the other portions of the dashboard.
What I'd like to do is use the same bytes xmt graph but on a queries that would match each user, thereby creating a stacked graph of each users xmt over time.
The problem is I don't know to generate the query to search for each username found over the time span without adding them manually.

[cdienger]

Hi RichH,

Are you able to share screenshot and some sample data that we can import and test with? I don't know if this is doable off hand but I can certain look into it if we can get some sample data.

[RichH]

Here's a capture of the dashboard

dashboard-2017-08-17_20-17-27.jpg

Another thing I'd like to do is send the dashboard as an email, like in XI.
But it's not possible from log server as far as I know. Would it be possible in fusion? Not familiar with that product.

I've been told I could use a custom wrapper in XI to replicate the dashboard but it could be time consuming to get right, haven't looked into it yet.

Let me know if I can upload anything else that would be helpful.

Thanks!

[cdienger]

Sorry - should have been more clear when asking about sample data. Can you PM me the actual logs? I want to make sure I'm testing this as closely as possible

[cdienger]

For people who may have the same question, you can use topN in the query: