Finding all Entrries that do not have a "clear" status to match "minor" status

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:

We have logs that come in, with unique fields, that either have a “MINOR” (meaning the alarm triggered) or a “CLEAR” (meaning that alarm for that device cleared) in a “severity” field. I am trying to think of a way to set up an alert that will show me via search (say last 20 minutes) devices that fired a “MINOR” alarm but do not have a corresponding “CLEAR” alarm. there is a “device_ID” field that has the unique device ID of the device firing the alarm

2. Describe your environment:

Graylog 5.0.8+4c22532 on sparc-log01 (Eclipse Adoptium 17.0.6 on Linux 5.4.0-150-generic)

3. What steps have you already taken to try and solve the problem?

Tried several search and aggregation methods… nothing that gets me there…

Hi @nateynate
for this to complete you will need the feature “Correlation” from the Operations-package. Up to 2GB/Day you will be able to use a free licence, above that you will need to pay.

To implement this request you will need to

  1. create an event for each “minor” log
  2. create an event for each “cleared” log
  3. create a corelation for a minor not followed by a cleared event

I do not see the option to select correlation. Do I need to create each separate event first? We are using the free version (we are a non-profit) and our traffic is < 400MB / day.

I did miss the actual setting… It seems I am running Graylog open and need to get a license for Operations. Where / how do I go about getting the free operations license?

Small Business will do the job for you :wink:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.