Graylog alert condition

ncmfn · January 23, 2022, 6:05am

Hello,
Is there any way to compare the avg of a field with the sum of that field instead of a threshold in Graylog alerts?
In other word:

if avg(value) > sum (value) then alert

gsmith · January 24, 2022, 11:40pm

Hello

Are you referring to something like this for a Event Definition?

ncmfn · January 26, 2022, 11:30am

Hi @gsmith ,
Instead of these static numbers(0 and 14 in your screenshot), I wanna be able to call another function.
for example:

sum(AccessMask) > avg(AccessMask)

gsmith · January 26, 2022, 10:39pm

Not sure about that, you want the sum greater then the avg. Could you give an example of that?

EDIT: Something of this sort? The red box shows what its function is.

If this is not what you want maybe Event Correlation instead of Filter & Aggregation maybe something to look into.

ncmfn · January 29, 2022, 7:09am

Thanks @gsmith,
The point is you are still comparing the sum and avg functions to a static number. in my case there is no specific threshold to set.

system · February 12, 2022, 7:10am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Alert Condition Question Graylog Central (peer support)	1	299	November 28, 2018
Alerts Based On Avg() Graylog Central (peer support) alert	3	617	April 22, 2022
Aggregation Count Alert Condition Plug-Ins plug-in	1	1429	August 25, 2022
How Graylog set alert field value to true or false Graylog Central (peer support)	2	962	September 30, 2019
GrayLog Alert by Custom Field Graylog Central (peer support)	4	1864	February 5, 2021