I created alert with following conditions:
5 or more matches of “something that user does” during the 24 hours
There are few things that aren’t working for me
- After the first alert, I’m being continuously notified for the same alert, regardless of alerts that happened after the first alert (some other user triggered an alert)
- I was able to see different notifications (alerts) after checked “repeat notifications”, but I was spammed each minute with a e-mail notification. As I understand, graylog will send out e-mails each minute until alert is in resolved state (which is 24h after first alert, at least in my case)
Basically, my goal is to isolate unique events (under certain condition) during the day.
Is there any smarter way of doing this? Am I missing something? Can I force resolving an alert?