Graylog 4.2.3 on Linux 5.4.0-1065-azure
I receive messages and extract the status information from them (OK/NOTOK).
I would like to create an alert if the N-OK rate exceeds a certain value. But I can’t find a way to do it.
Is it even possible?
Appreciate your help.
Hello && Welcome @b_amm
Have you tried the Event Definition? If so what type of configuration did you make?
you could use Aggregation section and “Group By” N-OK and configure count greater then ( count() > 0)
Hi and Thank you.
Yes, I´ve reached this point. But My problem is that I want not the absolute value of N-OK messages but the rate of such messages in the last 24 hours.
Or… the quantity considering the last n messages.
Appreciate your help.
Hello,
I’m assuming you want this done as email notification?
If so, only two solution come to mind. Either create another Event Definition /Aggregation with configurations for Search within the last 24 hours, Execute search every 24 hours and then add count by Group by Fields. If you don’t want backlog messages uncheck that in the notification section and the notification template will have to be adjusted.
Or perhaps the Enterprise License.
EDIT:
The count configuration should be set when it exceeds a certain value. So basically, if I create a count greater then 10 and the setting I suggested above. When the number of messages in that
stream exceeds 10 it will send an alert. There are other options that can be made for fields that match a string, etc… You may need to fine tune it a little.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
