Hi,
I am using Grylog for syslog monitoring.
I have a situation where I need to configure alert for say Event-A, where I should alert (through email) only the FIRST syslog message from the source-A and ignore the rest of the messages from source-A for Event-A until I see a discontinuity (no messages for 1 minute). For this Event-A, I will get only 2 messages for 1 min. It is also exceptable to have 2 emails for the initial 2 messages.
I have tried alert aggregation by source with the threshold <=2 , search it for last 2mins and execute the search for every 1 min. But it will give false alarm if there is only 1 event or at the end of log trail.
Please help me to find a solution for this. Thanks