Hello , everybody~
i need to send a email alert when the field feedCode = 1 or feedCode = 3
i know i can create more than one field content alert condition to resolve this issue.But Is there any good resolution to resolve this?Maybe use Regex or Logic character in graylog ?like OR?
I’m interested in this as well. In fact, I’m surprised we simply can’t use a Search query to trigger alerts. My use case is a I have a stream of logs I need to keep but I only want to alerts on certain conditions which requires AND or OR boolean logic of multiple fields.
Have you tried the Aggregates plugin from the marketplace?
you could use a regex in the alert configuration for example.
I found a solution to my problem, since I don’t thing regex would have worked either. I’m using the Pipelines to look for specific conditions in my messages and then I set a new field such as alert:true. Then it’s a simple alert rule to alert when there is a field that with alert =true. So far it’s working as expected.
Here is my pipeline rule which can help others get on a similar path:
rule “Interactive Login Failure”
when
has_field(“winlogbeat_keywords”) && contains(to_string($message.winlogbeat_keywords), “Audit Failure”) && has_field(“winlogbeat_event_data_LogonType”) && (to_long($message.winlogbeat_event_data_LogonType) == 2)
then
set_field(“alert”, “true”);
end
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.