1. Describe your incident:
What I want to achieve is that GL sends email notifications for email users who got over their storage quotas, now this is happening and the notification email contains the address but the problem is, GL sends a notification everytime it checks the event condition, meaning that for each unique user I’m receiving multiple emails and each email is set up in a way that automatically opens up a help ticket causing a problem.
2. Describe your environment:
Ubuntu Server 20.04 LTS
Graylog 4.3.3+86369d3 on firelognet (Private Build 17.0.3 on Linux 5.4.0-122-generic)
Service logs, configurations, and environment variables:
The GL server is receiving logs from a mail server, some of which tells me if a mail user filled their storage quotas, it looks like this:
solfix-email cyrus/lmtp1: verify_user(email@example.com) failed: Over quota
I have an extractor (overkotamail) that gets the mail address and I have set up an event which checks the log every 10 minutes looking back 10 minutes and grouping by field (overkotamail) then a condition of if count more than 1 for the same field. Event Fields is also setup to give me the email address so I can include it ın the notification mail. Finally a grace period of 10 minutes also.
3. What steps have you already taken to try and solve the problem?
I tried changing the grouping settings in the event definition with no luck.
4. How can the community help?
Could you please help me setup the event to send only one email per user.