I have created an event definition, hoping to create a different one for each stream since its stream alerts I want. So far I can’t get it to trigger an alert even though the filter preview shows messages in there. The notification works I can receive test emails. I wonder what i’m missing here?
Condition type: Filter & Aggregation
Search Query:
Streams:
Search within the last: 1 hour
Execute search every: 5 mins
checkmark for: Enabled
Aggregation of results reaches a threshold
Group by Fields:
Condition summary
Condition is valid
Preview: count(message) > 0
The stream is started, and I even set the Search within the last: to 96 hours, the preview shows even more results.
Runs every 5 minutes, searching within the last 4 days. Triggers 1 Notification.
Status:
runnable
Last execution:
2021-02-04 19:44:33.529
Next execution:
2021-02-04 19:49:17.819
Next timerange:
2021-01-31 19:49:17.820 2021-02-04 19:49:17.819
Event Summary
Details
Title
failed logons
Description
No description given
Priority
Normal
Filter & Aggregation
Type
Aggregation
Search Query
*
Streams
[failed logons]
Search within
96 hours
Execute search every
5 minutes
Enable scheduling
yes
Group by Field(s)
No Group by configured
Create Events if
count(message) > 0
Fields
No Fields configured for Events based on this Definition.
Notifications
Settings
Grace Period is set to 5 minutes
Notifications will include 100 messages
Send to email
Email Notification
