I’m evaluating alerting and setup a test Event and Notification. My event is supposed to run every minute and look at the last minute. I setup a Notification for this event to email my when it’s triggered. My event happens frequently (which is good for testing purposes) but I found I was getting multiple emails per minute. My expectation is that if the query is run once a minute, I should get at most one email per minute. Am I mistaken?
what Graylog version did you run?
We’re running 3.1.3.
I’m wondering if I have the wrong expectation. It seems like maybe GL is sending an email per log event that matches the filter rather than sending a single email with all the matching events from that period. If that’s what’s supposed to happen, how can I aggregate the results to send all the results (or the first 20 ) in a single email?
it actually depends @kcbaltz on your configuration. So how you made the settings for that.
I’m not sure what you’re asking/telling me.
If an Event configuration is setup to run every 5 minutes, and search the last five minutes, it appears that every matching log line for the filter results in an Event and each Event results in a Notification such that 50 Events in 5 minutes cause 50 emails. Is there a way to group those together into a single “event/notification” without aggregating the results.
now it makes more sense - you would use aggregations for that. So you aggregate over the last 5 minutes searching the last 5 minutes.
But if I aggregate (E.g. count the number of errors), won’t I lose the detail of which events happened? In other words, if there were 7 Login Failures, I want to see the 7 usernames in the notification, not just the number “7” as the count.
Also, assuming I’m willing to live without having the individual log messages in the notification, I’d still like some way to only receive 1 notification per 5 minute period regardless how many messages matched. I tried adding an Aggregation that says count() > 0 but that still appeared to generate multiple Events.
I’m seeing the same behavior and I don’t understand the discussion here. In the tab to configure the notification, it says for the “Grace Period”: “Set a Grace Period to control how long Graylog should wait before sending Notifications again.”. So when I set this to 1 I would totally expect this notification to be sent maximum once a minute. So what else does this mean if not that?
you do not loose the details - as you can select on what field you want to aggregate and what details you want to retain in that aggregated message. Means you can decide what information should be available.