Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question. Don’t forget to select tags to help index your topic!
1. Describe your incident:
I have recently installed Graylog 6.0 (6.0.6+4aa664f, codename Noir) and I am working to migrate over from and old graylog 3.x instance. I currently have the old graylog instance sending logs to the new one via a GELF output. I exported a content pack and have it successfully importing on the new server. Everything works as expected except there are alerts being triggered for most of my event definitions even though the conditions are not being met to trigger an alert. When looking at Event Definition Filter & Aggregation tab it reports no messages with the current search criteria but if I go back to alerts I can see that it is triggered with thousands of results. Most of these are streams that are generally empty and should trigger an alert if there are any results.
2. Describe your environment:
OS Information:
rocky 9
Package Version:
6.0.6+4aa664f, codename Noir
Service logs, configurations, and environment variables:
3. What steps have you already taken to try and solve the problem?
creating a alert for a stream has the same false positive alerts
4. How can the community help?
any ideas why this is happening?
to provide an update I did find the problem is only present when using “Aggregation of results reaches a threshold”. If use “Filter has results” for the event having results (aka no results expected) then everything works normally but if i have the aggregation selected and Count()>x (even if x is 0) then i get false positives. Has any functionality changed with the “Aggregation of results reaches a threshold” function? This problem is present in event definitions i created in the current version or carried over with a content pack. Anyone know if there is a better way to use the threshold feature?
I was able to resolve this problem by setting a value for “Group by Field(s)”. For the ones where I didn’t need a group I just picked something like loglevel that is the same on every log so that it would still trigger any time the threshold was met. I’m still not sure why the change in behavior but it appears to be an issue for newly created event definitions as well as the ones I imported.
