client (timestamp) --------> server (eventReceived) ---------> Graylog.
Timestamp and eventreceived times can differ up to 1h or even longer if a client has connectivity issues. Graylog alerting by default compares timestamp and the time range in the alert setting. Currently I set it to 30 minutes to captures most events however I have another issue, if another event fires from any client or even the same client, a new alert will not be fired up. That new event will fall under the same alert with no new notification.
Is there a way to alert on every unique message in the stream disregarding timestamps?
you could use the processing pipelines to identify a message you want to alert on and route that then into a stream. the alerting rule on that stream fires if messages are in the stream.
Routing to a stream is not an issue, it is done properly. However “message count” alerting in graylog seems to be periodic only thus if I set it to 0, it will send an alert with all current messages in the stream (new + old), if I set something more than 0, it will not send alerts as it sees that my messages come in late, out of that evaluation period. I could overwrite the timestamp with the received to graylog time, but it seems rather dirty.
