Event definition not triggering Notification

I want to be notified when there are any FATAL messages. But Graylog is not sending the notification.

What I made:

• defined email notification with my Reply-To email address. It’s working.
• defined event with right stream and search query. Filter preview shows messages.
• other configuration:
  • Search within the last: 1 hour (for test, to be sure it will find any messages)
  • Execute search every: 1 minutes
  • Create Events for Definition if: Rule: count() > 0
• Notification: wired with the previous defined notification
  • Grace Period: Unchecked
  • Message Backlog: Checked, 1

In the Event Definitions list it shows in

• ‘Last Matched’: 2 days ago. Why is that not working?
• Status: enabled
• Scheduling: Runs every 1 minutes, searching within the last 1 hour
• Scheduling Info: Status runnable,
  • Next execution: current time + 1 min,
  • Queued notifications: 0 <== what’s the meaning of that?
• More > Replay search: opens query with count() = 23 => so it should trigger the alert?

I use Graylog 6.1.2 Open

• List item

Did I missed something?

Event processor looks at indexed messages, so if indexing is backlogged there can be a delay. But since replay shows messages, it should be firing.
Have you tried testing with a different notification type, e.g. HTTP? That would show up immediately when it fires.

I solved the problem.
I created new Event Definition exactly the same as the previous one with the same notification.
I don’t see any differences in the definition, but it works.
Thanks for the support.

That’s strange. Glad you solved your issue. If it happens again, it would be interesting to drill down more to try and understand the root cause.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.