Bit of a newb to GL here, I have checked and this question has been asked before but I have been unable to find a workable answer.
After a way to alert if no source data from one of many sources within the last 5 mins or so. Version 3.3.2
Seems like this should work -
Event Definition
Filter & Aggregation
Filter “hostname:*”
Streams “All messages”
Search within 5 mins every 5 mins
Group by fields - “hostname”
Condition - “count() = 0”
I am adding the hostname field successfully via pipeline
Nonetheless, no matter what I tweak this does not work, is there a way or am I flogging a dead horse here? - strikes me that this would be a much requested feature.
Hi, Thanks for getting back to me, not really sure I follow, I included the event details, screenshots added below, do let me know if I am missing something!
To clarify, it’s not the notification that is a problem, I have that running just fine on other alerts, its the fact that’s not alerting at all.
with the Enterprise correlation engine this can be done native in Graylog - but without this would need to be a manual check or you need a tool that make use of the Graylog API to compare the results.
