Sorry for the delay, I was on Va-ca, as my understanding this would be on Streams and each stream could have a different output and type.
In my opinion and how one configures alerts that part of the system looks in the database / indice directly as one configures the period and search query that one configures.
The system then schedules the alert queryâs. That is how it seams to be implemented in version 4.x. Tho older versions seamed to work a bit differently.
Yup, alerts are effectively cronjobs that periodically search elastic. I wish there was a way to hook some of my alerts directly in the processing flow or better maybe allow pipeline rules to create real-time alerts?
Dunno I havenât got that far with it yet. But I am enjoying the hell out of Graylog so far. So much we can do but so much to learn!
I still think lookup tables are (mostly) used in pipelines. Those can be used in decorators afterwards, but the main use at least to me is in pipelines.