Alerting question


(Orgitnized) #1

I have setup an alert to notify me if this rule gets triggered with this search string:
“GlobalRouter WEB INFO user” AND source:CP1
If I use the search section, this works and filters perfectly.
If I create an alert with this exact syntax, I get alerts from other sources as well and the messages aren’t even the same. The messages contain some of the words, but not all of the words.
What am I doing wrong? Can someone point me in the right direction? Pretty new to this software and just getting my feet wet.
Thanks so much!


(Jochen) #2

It’s not possible to use free-form Elasticsearch/Lucene queries in the alert condition.


(Orgitnized) #3

Thanks - I’m looking here: http://docs.graylog.org/en/2.2/pages/streams/alerts.html#
I’m curious what the best way to setup alerts is then. I’m creating a condition and have 2 condition details right now. Is there a list of what is actually acceptable for building condition details?
I’m not sure how I get alerted to only what I’m trying to get. :frowning:


(Jochen) #4

Anything that can fit in the query format field:"some query".


(Orgitnized) #5

Thanks again; I guess I just get confused on your reply here versus your reply in this thread: Field Content Alert
I’ll try and search more for the fields and how I can test this out.
Does this look wrong? I figured if I’m examining the message area for that specific quote of text I would get ONLY those alerts, but that’s definitely not the case.
Example


(system) #6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.