Hi,
I’m new to GrayLog and I’m trying to setup an Alert (and Notification) to be triggered if a defined search does not return any messages for the defined period.
So, in essence we have a system sending heartbeat messages to GrayLog and we want to send a notification if no such messages are received.
I’ve created an Alert with the appropriate Filter and with an aggregation using a specific field with an if condition as count() = 0.
This does not appear to work. Does at least 1 message need to fit the filter criteria before the alert will be evaluated?
We are using Graylog 4.0.6+40b7be5.
Any help / explanation would be appreciated.
Thanks
Hello @ianyoung, welcome!
As I understand it you are looking for alerts for sources no longer appearing in search results. Is that correct? If so, there is a content pack Graylog Knowledge Base - Content Pack - Event Source Not Sending Logs
I did attempt to set up this content pack a few months ago and wasn’t able to get it working. So, if you are also unable, what we did was create an external task which periodically queries Graylog via the API to qualify messages within a timeframe and enumerate the unique sources represented. If a source is not present in the list but should be, we send a message back into Graylog which Graylog itself is configured to alert on when it is received.
A little convoluted but it works.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.