I’m trying to set up event definitions so that an alert is generated if no messages are received from a source within a timeframe. I thought I could do this using an aggregation and setting the trigger to less than a number, but it isn’t working. Also, ideally I would like this to use a static list of sources so that the query can execute dynamically against that list and generate an alert for each that qualifies. Has anyone else done this? Any idea if it’s possible? I’m not having a lot of luck.
The goal is to know if for some reason we are losing logging. Next step is a definition that alerts if suddenly a source starts sending a number of messages outside of a defined ‘normal’ range within a given timeframe, but that’s for another topic.
@jan, I do have an issue with the content pack. I have followed the instructions to add an alert to the ‘SOURCE: 30 minute silent sender’. I did not change anything else with the event definition. I am receiving an error when attempting to save the changes. I have been unable to identify the issue. Do you have any idea what might be wrong?
I was able to correct the above error simply by changing the event #2 rule from “Not occur in the next 15 minutes” to “Occur at least 1 time”, saving the event definition, changing event #2 rule back to “Not occur in the next 15 minutes” and saving the event definition again.
sorry for that - will check what the reason for this is.
Just as warning - you can get false positive with this as the event searches in the correlation might be faster than the aggregations, depending on the amount of messages and the speed of the system. So you might need to adjust the timings here, but this is a starter.
