Query stream alerts via API

Graylog Central (peer support)
1

I’ve defined several streams and events to receive notifications via email when alert conditions are met - works well as expected. Now I tried to query this triggered alerts via API from my monitoring system with a script, but there are no alerts shown.
Events are created and are visible within event stream.

My environment:
Linux
Graylog 4.3.1 with enterprise plugin (free enterprise operations license)

Steps already taken to solve the problem:
Tried several API URL via REST API browser like
/streams/{stream-id}/alerts
/streams/{stream-id}/alerts/check
/streams/{stream-id}/alarmcallbacks
/streams/alerts

When querying stream info then there are no associated alerts shown.
Also on paginated queries there is no history of alerts visible.
Documentation does not contain details on the behaviour of alerts.

How can the community help?
Is this feature to grab alerts via API still available?
How should I setup alerts/events for a stream that this alert is shown in API?
Are there alternative ways to send alerts to monitoring system?

2

Hello,

I was testing this out in the lab and found some unusual results.
My Response Body is off 8 hours, that is because of UTC . I even increase date/time still null results.

image
image954×836 24.8 KB

I also check API Browser for GET /streams/{streamId}/alerts

image
image965×837 31.1 KB

I do see this showing Manage stream legacy alerts for a given stream

But using Alerts: Manage stream legacy alerts for all streams

I did get an output with results

{
  "total": 300,
  "alerts": [
    {
      "id": "5d54a0df83d72e5070463743",
      "description": "Stream had 4 messages in the last 1 minutes with trigger condition more than 3 messages. (Current grace time: 5 minutes)",
      "condition_id": "383a8c30-6d60-44c6-a93b-f4a557f923c4",
      "stream_id": "5a5027b7ffe8b10359166d83",
      "condition_parameters": {
        "backlog": 10,
        "repeat_notifications": true,
        "query": "*",
        "grace": 5,
        "threshold_type": "MORE",
        "threshold": 3,
        "time": 1
      },
      "triggered_at": "2019-08-15T00:01:35.656Z",
      "resolved_at": "2019-08-15T00:02:34.990Z",
      "is_interval": true
    },

Notice the date, Ummm
I configured the UNIX timestamp to display since yesterday and ended up null. Something with legacy alerts API. Not sure what’s going.

EDIT: Still same results. I have tested this on Open /enterprise version.
Maybe posting here might shed some light on this issue.

3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.