Hi–
We’ve been using Graylog for years now and just upgraded to 3.1.
We have a Stream which looks for a specific value in log file that is greater than another value (the age of the last success) – when this Stream has more than 1 event, we want it to fire a notification. The alert is scheduled to run every 1 minute for the last 1 minute of data; no grace period or any other configuration.
This has worked great in the past – as soon as the number went over, we’d receive one alert. It could stay in this state for days, but just that one alert was ever fired.
With the 3.1 alert configuration, I cannot find a way to make it only trigger once – it appears to trigger once per minute, resulting in the Alert’s console being not as useful as it used to be (as there are now hundreds of alerts instead of the one) and resulting in a flood of alerting notifications.
The alert notifications was worst for us, in part, because we used OpsGenie’s plugin and it didn’t have any dedupe capability their-- I’ve since switched it to an e-mail notification, but that is still resulting in 1 e-mail being sent per minute that an alert is active.
How can I get the alert to only trigger when there is a new event instead of contiguously? Thanks.
Eric