hello
I want to setup event definitions that If a source sends more than 5 messages, it will send an alert, if it is less than 5 times, it will not send, and I have many different sources, and I want to count each source separately, not all together.
i use graylog 4.0 guest OS: ubuntu 20
here my setup and it not work
I might try giving a unique field name to each source and use that, rather than the global “Source”
If you need them all to have the identity “source” you could add a static field at the input for each source, assuming they are different inputs.
I would run the same search as your event definition, for the same time range, and see what you actually are getting back. And then do a show top values on the field you are trying to group by to see the count. Your event definition looks right to me, so something is happening with the messages.
thanks Joel, but if i remove the groupby field contains “source” and the message count in the conditions, it’s work but not exactly what I wanted
Right, the reason i say to run the search is to verify that all the fields you are trying to use are actually present in all the measages and appear in the amount you expect.
I have had times where i picked a field to group by and then found out it only appeared in some of the messages for some reason.
Although it would be stange, i am wondering if the source field doesnt appear in all the messages or something like that, which would cause this kind of issue. I had something similar happen to me the other day when trying to build a dashboard.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
