Hi, I’m starting to notice something strange with the backlog option in Email Notification.
Basically, I have set the following:
Event: Search query in a stream every 5 minutes and within the last 5 minutes without using aggregation of results and custom fields.
Notification Setting: Message Backlog Ticked and set to 50.
Notification: Email Notification using the default Body Template:
— [Event Definition] ---------------------------
Title: {event_definition_title}
Description: {event_definition_description}
Type: {event_definition_type}
--- [Event] --------------------------------------
Timestamp: {event.timestamp}
Message: {event.message}
Source: {event.source}
Key: {event.key}
Priority: {event.priority}
Alert: {event.alert}
Timestamp Processing: {event.timestamp}
Timerange Start: {event.timerange_start}
Timerange End: {event.timerange_end}
Fields:
{foreach event.fields field} {field.key}: {field.value}
{end}
{if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
{foreach backlog message}
{message}
{end}
${end}
Issue:
When the query is triggered it is finding x5 logs within the 5 minute range and sending x5 Notification Emails each having x1 log message at the backlog section.
Questions:
Isn’t it supposed to send x1 Notification Email with x5 log messages at the backlog section?
Does Backlog option append any other logs after the trigger or only the matched logs?
Thanks,
Ryan