Editing alert conditions in Graylog 2.2.*

mmogilko · April 5, 2017, 1:17pm

Hi all!
After update to Graylog 2.2.* I can’t understand how to edit Field Content Alert. I want to create an alert when field is NOT equal smth. For example:
NOT vpn_addr_country_code:"UA"
At the moment I could make a condition vpn_addr_country_code:“UA” only.

And another related question: how to make a condition where a field is equal to one of the values? For example:
NOT vpn_addr_country_code:(UA ua N/A)
I noticed that edited condition rule looks like: Alert is triggered when messages matching <vpn_addr_whois_organization:"Some ISP">. But there is a difference in search queries field:(vaule1 value2) and field:"(vaule1 value2)"

Thanks in advance!

Topic		Replies	Views
Field content alert condition more than one value? Graylog Central (peer support) pipeline-rules , sidecar , winlogbeat	6	2647	September 4, 2018
Alert Condition Question Graylog Central (peer support)	1	297	November 28, 2018
How Graylog set alert field value to true or false Graylog Central (peer support)	2	960	September 30, 2019
Field Content Alert Condition ignores logs which have log timestamp instead of indexed timestamp Graylog Central (peer support)	1	366	November 23, 2018
Alerts conditions for multiple field values Graylog Central (peer support)	1	1880	July 19, 2018

Editing alert conditions in Graylog 2.2.*

Related Topics