First of all, this new forum looks great! Good job!
I have long waited to see the renewed Alerts system in Graylog 2.2.0. I have done an upgrade to my test environment and I have been playing with the new alerts.
So my concern is that alert notifications still seem to be bound to streams? I wish they would be bound to alert conditions, so that would allow custom and specific email messages based on the alert condition.
For example (not a real-life scenario): There is a stream called Syslog. Iāll create an alert condition āAlert when the message count is more than 100000 in the last 5 minutesā and bind this to the stream Syslog. Now, Iād like to send an email to "foo@baz.com" when this alert condition triggers. Iāll create another alert condition āAlert when the message count is less than 50 in the last 5 minutesā and bind this to the stream Syslog too. And now, Iād like to send email to "bar@baz.com" when this alert condition triggers.
I think I cannot do this within a single stream? Iād need to create two streams with the same syslog messages. And then one alert condition would be bound to the first stream, and another alert condition would be bound to the second stream. This way I could have individual alert notifications, but Iād like to have them without multiple streams.
It seems reasonnable to configure streams per kind of information. For Example:
API Monitoring logs for Production environment
API Monitoring logs for non-Prod environment
API Runtime logs for Production environment
API Runtime logs for non-Prod environment
Based on 1 stream (i.e. kind of information), we may need to trigger multiples alerts based on conditions, like:
Alert Team#1 if status=failed and asset=client_api_v1 within stream and such messages>5 for stream āAPI Monitoring logs for Production environmentā
Alert Team#2 if status=failed and asset=supplier_api_v1 within stream and such messages>2 for stream āAPI Monitoring logs for Production environmentā
and so on ā¦
Am I using streams the right way ? (i.e for a kind of data)
Is the scenario now possible from a recent version of graylog ?
PS: I donāt think that the 2 links on github address this specific issue.