Given my reading of the graylog alerting documentation, it seems like graylog can only reason about the “state” of an alert condition as a whole, is that right?
i.e. for this field content condition
{
“field”: “Severity”,
“value”: “Critical”
}
it would trigger one time and remain triggered as long as there is any unresolved alert about a critical message from any host. Is this correct?
Is there a way to write the alert such that the source or other fields are considered, without having to come up with every possible combination of sources and conditions?
i.e. given these events:
{
“source”: “box1”,
“severity”: “critical”,
“reason”: “BGP neighbor x.x.x.x down”
}
{
“source”: “box2”,
“severity”: “critical”,
“reason”: “BGP neighbor x.x.x.x down”
}
{
“source”: “box1”,
“severity”: “critical”,
“reason”: “BGP neighbor y.y.y.y down”
}
{
“source”: “box2”,
“severity”: “critical”,
“reason”: “BGP neighbor x.x.x.x down”
}
{
“source”: “box2”,
“severity”: “critical”,
“reason”: “High input temp: 140 F”
}
We need 4 alerts. The fact that we received and started processing an alert for Box1’s BGP neighbor x.x.x.x doesn’t mean we can ignore Box1’s BGP neighbor y.y.y.y or Box2’s temperature alarms. But I also can’t go around creating n*m alert conditions for every combination of alarm condition and alarm source.
What are my options here?