Multiple Notifications Sent for the Same User

1. Describe your incident:
What I want to achieve is that GL sends email notifications for email users who got over their storage quotas, now this is happening and the notification email contains the address but the problem is, GL sends a notification everytime it checks the event condition, meaning that for each unique user I’m receiving multiple emails and each email is set up in a way that automatically opens up a help ticket causing a problem.

2. Describe your environment:

  • OS Information:
    Ubuntu Server 20.04 LTS

  • Package Version:
    Graylog 4.3.3+86369d3 on firelognet (Private Build 17.0.3 on Linux 5.4.0-122-generic)

  • Service logs, configurations, and environment variables:
    The GL server is receiving logs from a mail server, some of which tells me if a mail user filled their storage quotas, it looks like this:
    solfix-email cyrus/lmtp1[123]: verify_user(example@site.com) failed: Over quota
    I have an extractor (overkotamail) that gets the mail address and I have set up an event which checks the log every 10 minutes looking back 10 minutes and grouping by field (overkotamail) then a condition of if count more than 1 for the same field. Event Fields is also setup to give me the email address so I can include it ın the notification mail. Finally a grace period of 10 minutes also.

3. What steps have you already taken to try and solve the problem?
I tried changing the grouping settings in the event definition with no luck.

4. How can the community help?
Could you please help me setup the event to send only one email per user.

Hi Alper,

At “Filter and Aggregation” you can refine the search parameter in time:

In “Notifications” you coud use the Grace period:

afbeelding

Another thin you can use is the “Aggregation of results reaches a threshold” were
one can build a rule that the messages are limited in a certain way. I have no
experience with it but is was handled in the course.

Hope this helps.

1 Like

Hi thank you, I forgot to mention that for some reason, the mail server sends lots of logs when a single user goes out of storage, like a 100 log for around an hour or 2, maybe I should check the mail server log settings but I was hoping not to, just let Graylog use the email address as a key value and send the notification once for each user rather than keep sending repetitive mails for the same user each time the event is checked.