Alerts notifications with different event keys aren't sent in the grace period

Graylog Central (peer support)
1

Hi ,
I am trying to generate some HTTP based alert notifications for an event definition which has a unique event key. I have set the value for grace period to 20 minutes. When the condition is met only 1 notification is being received but in the Alerts overview page I see 2 alerts with different event key fields.
Also, I have set the period for “Search within the last” and “Execute search every” to 10 minutes.
Can anyone guide me on this issue?

2

Hello,

Could we get a visual of this Event Notification and Perhaps what version you using also?
A clear brief description of what you want would help…

thx

3

Hi @gsmith,
I’m using Graylog version 4.3.1. I have defined an event definition where I am aggregating on some log messages and grouping them on the basis of a unique field. I have set “Search within the last” and “Execute search every” to 10 min.

image
image3580×1682 500 KB

image
image3564×1178 212 KB

I have also added the field as event key in fields section.
I have set the grace period to 20 min for a HTTP notification. Although 2 alerts are generated for each unique key, I am only being notified for 1 key field(and too the one that triggered first). So, this is the issue for which I need some guidance.
image
image3578×764 214 KB

Also, do we need to keep the value for grace period below the “Search within the last” and “Execute search every” period, as in this case I’m able to get all notifications?

4

Hello,

What does your notification settings look like.
Example:

image
image796×491 18.8 KB

Also, this setting at the bottom will trigger when greater “>” 0.

image
image1876×537 37.3 KB

5

I have set count() > 0.

image
image3578×990 211 KB

And I’m setting grace period to 20 min.
image
image1952×960 59 KB

6

Hello

Couple things seam odd,

1.you have the following configure count() >= 0 as shown in the screenshot not this count() > 0

image

With this type of alert for counting for a message entered a stream, I would think it should have been something like this.

image

2.The Event Condition is configured 10 minutes search, every 10 minutes. The notification has a 20 minute grace period. Have you tried to adjust that in any way?

Example: Match the notification grace period with Search query, Just an Idea

Also try something like this or a combination.

image
image1815×341 18.1 KB

7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.