Hi,
We have graylog entries with Fields Timestampt, IP, Server, Message (names are just as example, to describe the issue).
What we want is to get an Alert (email) when the field Server is missing.
So, first we created a Stream to get only specific type of entries.
Then we created an Event, using a Search Query to find the ones missing that field using that Stream, to check last 1 min every 1 min. There are results in “Filter Preview” frame.
Next we set it to “Aggregation of results reaches a threshold”, added Group By the IP field, and entered Count() >= 1, meaning to “fire” when at least 1 entry exists.
On the Fields tab we added IP, named the field ServerIP, set “Use Field as Event Key” = 1, “Set Value From” = Template and on Template field entered - ${source.IP}.
We used both “Require all template values to be set” as selected and not selected (I mean we tested with both options). We also tested with and without this field.
In Notification we also made 2 tests - with and without.
After all was done we completed setting it up and saved the Event.
On all tests we see in Event info that the “Status” = runbnable and only “Next execution”, which does not change and is the time we saved the Event.
No alert seems to be firing on any of the tests.
We have no idea why and would appreciate assistance.
Note that we have other similar Events (different searches and fields, but same setup) that work fine, and we see the “Last execution” and “Next timerange” info on those Events.
Let me know if you need additional info.
Thanks