How Graylog set alert field value to true or false

Ganeshbabu · September 13, 2019, 10:02am

Hi All,

We are using Graylog 3.1.1 with Elasticsearch 6.8.1 & Mongo 3.6.14. I am trying to setup alerts based on the event condition.

I am receiving IIS logs to graylog and I am setting iis_Access_Responsecode:>=500 in event filter condition with aggregation group by field as iis_Access_SiteName and if my events count is > than 5 alerts will be triggered.

Yes I am able to see alerts triggered based on the event definition and messages are recorded to the “All Events” stream. But in the all events stream I am getting two types of messages and the field “alert” has two values,

alert=false
alert=true

Below is the sample message with alert= false

    "_source" : {
      "id" : "01DMFWQERB48FSDMVZTNSYD",
      "event_definition_type" : "aggregation-v1",
      "event_definition_id" : "5d76470a026d94693",
      "origin_context" : null,
      "timestamp" : "2019-09-11 10:08:14.276",
      "timestamp_processing" : "2019-09-11 10:08:28.427",
      "timerange_start" : "2019-09-11 10:03:22.453",
      "timerange_end" : "2019-09-11 10:08:22.452",
      "streams" : [
        "000000000000000000000002"
      ],
      "source_streams" : [
        "5d76240b945248b2f"
      ],
      "message" : "500_ErrorCodes: abc.graylog.com- count()=12.0",
      "source" : "graylog3-helm-0.graylog3-helm-svc.cluster.local",
      "key_tuple" : [ ],
      "key" : "",
      "priority" : 2,
      "alert" : false,
      "fields" : { }
    }

Below is the sample message with alert=true

    "_source" : {
      "id" : "01DMFN7WGAEB3TXTPRK",
      "event_definition_type" : "aggregation-v1",
      "event_definition_id" : "5d76470a026d94693",
      "origin_context" : null,
      "timestamp" : "2019-09-11 07:55:33.233",
      "timestamp_processing" : "2019-09-11 07:57:38.243",
      "timerange_start" : "2019-09-11 07:52:22.452",
      "timerange_end" : "2019-09-11 07:57:22.451",
      "streams" : [
        "000000000000000000000002"
      ],
      "source_streams" : [
        "5d76240b945248b2f"
      ],
      "message" : "500_ErrorCodes: def.graylog.com - count()=14.0",
      "source" : "graylog3-helm-0.graylog3-helm.svc.cluster.local",
      "key_tuple" : [ ],
      "key" : "",
      "priority" : 2,
      "alert" : true,
      "fields" : { }
    }

I am not able to understand how the graylog sets the value of alert field to true or false

I didn’t find much information on the alerts documentation

Kindly share your thoughts and help us to understand the alerts concept.

Regards,
Ganeshbabu R

Ganeshbabu · September 16, 2019, 6:39am

If we add the notification in the event definition then alert field value set as “True” in the message.

Topic		Replies	Views
GrayLog Alert by Custom Field Graylog Central (peer support)	4	2307	February 5, 2021
Graylog Alert Fields are not getting filled when using a Threshold Graylog Central (peer support)	12	419	September 6, 2025
Graylog 4.0 bug with fields and aggregation Graylog Central (peer support)	7	1498	May 27, 2021
I can't see any properly graylog alert messages Graylog Add-ons sidecar , winlogbeat	7	1427	April 9, 2020
Graylog 6.0 Triggering alerts when conditions not met Graylog Central (peer support) alert	5	189	October 11, 2024

How Graylog set alert field value to true or false

Related topics