Grace Period & Custom Fields Key with Events

Hello,

I’m new to Graylog and maybe not understanding event custom fields correctly.

I have a simple event that triggers an alert when any host generates over 2000 messages per hour.

(note I actually run the search every hour, not minute like the screenshot shows)

The aggregation is done on the host source name with a count, and all works ok.

Now I want to add a grace period to stop any one host spamming email after triggering. But I still want to receive alerts from any other hosts that trigger the event.

If I set simple a grace period for the event as is, after one host triggers the event, all other hosts are muted too, so not what I need.

I think I can do it with Custom Fields and Event keys, but I’m not grasping how I’d do it.

Any advice greatly appreciated.

(Graylog 4.2.13-1 on Centos 7.9)

The way I read it in Alerting by Example, when you create a custom field, set it as an an “Event Key” so that notifications will be grouped by the Event Key (In your case the hostname is needed) Thereby alerts will be distinct with hostnames.

NOTE: this is how I read it

2 Likes

Unfortunately, the grace period applies to the event itself, not each individual “group by” attribute. That would make a good feature request though, as the idea seems quite useful. (Sign in to GitHub · GitHub)

Custom fields allow you to pull data from the messages that caused the event to fire and bring them into the “fields” field of an event. These may be defined for filter, aggregation or correlated events.

Event keys are similar, they are custom field definitions that are used to provide key values to tie correlated event conditions to each other. That key value has to be present in all events in order for them to be considered by the correlated event engine for a given rule.

The correlated alerts are a commercial feature, so unless you have an Enterprise/Ops or Security license, you can’t make use of them today.

2 Likes

Thanks for the response Chris! I’ve submitted a feature request.

Nick

2 Likes

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.