I created custom fields using the extractor to pull out specific information from my raw logs. I’m trying to setup an event definition to trigger alerts when a threshold is reached relating to these custom fields.
When I use a standard field located in the raw logs, alerts work. Unfortunately without the custom fields, these alerts are too generic and do not give me the granularity I need.
Is there an issue with using custom fields in alerts or have I configured the event definitions wrong?
I came across this piece of documentation which is what I’m trying to do: https://docs.graylog.org/en/3.2/pages/alerting/alerting-by-example.html
When thresholds are met, Graylog doesn’t alert against any of the fields which I have created using extractors.
I can see the fields in the log messages as they appear in the stream but I’m not able to use them for alerts. Without this, I can’t make sense of different log formats.
Any help would be much appreciated.
Sherlock,
how should anybody help you when you write “that is what I followed in configuration” - and “it does not work” …
Sorry I have no 
that is telling me what you have made different … What have you done, what is not working and what error did you get?
I created extractors to parse specific information from the raw logs, specifically the IP address of the switch reporting a loss of signal alarm from a device and the frame/slot/port of the device that reported the log
The extractors are working as the new fields such as IP address and Port ID appear in the log messages in the stream I created to pick up all logs with loss of signal alerts.
I then created an alert to send a Slack and email notification when an event definition is triggered. Specifically an aggregation event when more than two devices from the same IP address (ie same switch) and same frame/slot/port report a loss of signal alert.
The alert is configured but the I receive no alarms when the event is triggered. When I filter and aggregate using a pre-existing field in the logs, alarms are triggered. But I’m not able to use fields created with extractors to create more meaningful alarms.
I’ve checked the logs and there aren’t any apparent error messages. I haven’t seen anything in the documentation to suggest what I’m trying to do is not possible. Any help would be much appreciated.
The alert is configured but the I receive no alarms when the event is triggered. When I filter and aggregate using a pre-existing field in the logs, alarms are triggered. But I’m not able to use fields created with extractors to create more meaningful alarms.
did you checked if you have configured the backlog for messages AND did you have configured any kind of notifications?
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
