We recently setup a test graylog server and we’re trying it out and seeing what we can do with it.
One function, that today is handled by SEC (Simple Event Correlator), is looking for certain errors in logs and emailing them in batches to relevant developers. Our SEC rules batch up all matching log lines for 120 minutes before sending them out (a horrible design that usually results in the alert arriving after we’ve discovered the error by some other means and fixed it).
I’ve started creating an Event and enabled notification, but I’m not getting it to do what SEC does today.
The event looks for messages matching a criteria, looking at last 1 minute and running every 1 minute. Then I want the notifiaction to trigger every 1 minute and send all matched loglines to relevant devs.
I think my problem is not having a correct key configured for the event. I’ve tried creating a key, app_errors_event with value like “2021-05-27 12:22” but I can’t get the template right to do it. I’ve tried variations of ${format_date(to_date(source.timestamp), “yyyy-MM-dd hh::mm”)} and ${source.timestamp;date(“yyyy-MM-dd hh::mm”)} without success.
Am I on the right track with creating a key to get the functionality I’m seeking? Any tips on defining the key?