I want to generate an alert if graylog receives no logs from certain sources for a given period of time.
I swear I had this working in Graylog 3.1.3 by defining an event:
- with the appropriate filter
- no Group By
- Search within the last 5 min
- Execute search every 5 min
- the following aggregations for 2 different use cases (at the time it was first set up, I didn’t have a container_name for the 2nd case):
- count(container_name) = 0
- count(message) = 0
After upgrading to 3.2.2, the event is always raised, even if there are logs coming in.
I also tried using count() = 0, but that didn’t help.
What am I doing wrong here? Am I misinterpreting what count() does?
The only other thing I changed recently was to add replicas to my ElasticSearch config. I also recently noticed a lot of Graylog “Fielddata is disabled on text fields by default” logs, but I’m not sure when that started happening. By changing the above count(message) to count(container_name), those logs stopped.