Graylog alert condition

ncmfn · January 23, 2022, 6:05am

Hello,
Is there any way to compare the avg of a field with the sum of that field instead of a threshold in Graylog alerts?
In other word:

if avg(value) > sum (value) then alert

gsmith · January 24, 2022, 11:40pm

Hello

Are you referring to something like this for a Event Definition?

ncmfn · January 26, 2022, 11:30am

Hi @gsmith ,
Instead of these static numbers(0 and 14 in your screenshot), I wanna be able to call another function.
for example:

sum(AccessMask) > avg(AccessMask)

gsmith · January 26, 2022, 10:39pm

Not sure about that, you want the sum greater then the avg. Could you give an example of that?

EDIT: Something of this sort? The red box shows what its function is.

If this is not what you want maybe Event Correlation instead of Filter & Aggregation maybe something to look into.

ncmfn · January 29, 2022, 7:09am

Thanks @gsmith,
The point is you are still comparing the sum and avg functions to a static number. in my case there is no specific threshold to set.

Topic		Replies	Views
Alert Condition Question Graylog Central (peer support)	1	347	November 28, 2018
Alerts Based On Avg() Graylog Central (peer support) alert	3	761	April 22, 2022
Graylog Alert Fields are not getting filled when using a Threshold Graylog Central (peer support)	12	415	September 6, 2025
Aggregation Alert with condition Graylog Central (peer support)	2	959	January 10, 2018
Aggregation Count Alert Condition Plug-Ins plug-in	1	1842	August 25, 2022