Problem with backlog message

Graylog Central (peer support)
21

Hello,

Perhaps this might answer your question. Specially Under Notification settings

https://docs.graylog.org/en/4.0/pages/alerting/alerting-by-example.html#alerting-by-example

EDIT: I have found success in using the Fields section in Event Definition.

image
image1860×291 21.5 KB

As the instruction from Graylog Document suggested, I unchecked the Message Backlog.

image

The notifications are sent per UserID (i.e., Grouped per UserID)
I haven’t configured Alerts like this before so I found it interesting on what more I can do. Sorry I don’t have a direct answer your solution but If you give a look at the link/s, I provided you may be able to fix you backlog issue.

So, to recap:

  1. I have a stream to filter down what I need with Rules.
  2. In my Event Condition Search Query, I used “EventType: Error/Warning”
  3. Aggregation I Group by Fields using UserID & EventType
  4. In Create Events for Definition I used count () with >= 0
  5. Created Fields section which is shown above.
  6. Notification Template I used the same one from previous post above.
  7. I uncheck Message Backlog as stated in the Graylog Documents.

image
image1719×838 47.9 KB

I would highly suggest looking at the links I gave you and do some testing. There is more then one or two configuration needed to make your idea work for you, like Notification templates, notification settings, Fields, etc… I think you get the idea.

Results: I received a notification from each UserID. Its not in one email notification, they came grouped up in separate emails.

image
image749×450 11.1 KB

image
image728×476 11.3 KB

This is the best I can do for you, if this doesnt work maybe someone else here can help you further
Hope this helps.

23

I’m already doing what you found.
As I’ve always said the notifications I receive are correct except from the content of the backlog.
I do ignore/remove the backlog but I would like to extract from it some more information to be attached to the notification. But more I read more I think that backlog contains all messages collected before the aggregation filter match.

24

@fabulus

I belive you are correct, judging from this statment In the documention.

Since we use an aggregation event here, the message backlog might not be really helpful so I leave it off. The backlog will show all messages within the time range of Search within the last and use the Query we entered. If you have a good enough query this can still be helpful. The number input will limit the amount of messages in the backlog.

Sorry, Im out of suggestion, maybe someone else here can help you further.

Hope that helps.

25

Thanks again @gsmith, I think we can close this thread then.
We’ll try to get the result with a different approach.

I don’t know why but this was working until the previous version of graylog.

Cheers,
Fabio.

26

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.