I’m configuring email notifications in graylog to receive level 0 and 1 alerts for my cisco switchs.
this is working fine. but it happens quite often that a same message is triggered several time a day which is generating many useless emails.
I would like if possible to only receive one email for a specific message per day.
messages with red rectangle are sent many times a day but it’s exactly the same information. I would like to only have 1 message and skip the next ones until the next day or next week for instance.
When creating the Event Definition there are settings under Notification that can make it happen.
There called Grace Period and Message Backlog. This ties into your Search within the last && Execute search every which is under filter & Aggregation.
then on the Notifications tab, I have appliled a 24h Grace period :
so if I understand it correctly, each individual alert message will be sent only once per 24h ?
regarding the message backlog, should I let it unticked ? I’m not sure to understand the behaviour of message backlog actually, if I tick it and put “1” for instance, does that mean I will only receive 1 alert message from Graylog in 24h ? or does that mean 1 message maximum per different alert in 24h ?
Like it states “Number of messages to be inclued in the notifications”. If you do not want a message to be included in alert then you all good, If you want a message or messages then tick the box and you can add how many messages you would like per email.
Hi Gsmith.
I have put 1 in messages as it was before but keeping 24 hours as grace period doesn’t work I think because I only receive one notification in 24hours which is not what I want. I would like each notifications to be received once/24h. so as an example if I receive 2 different messages, I will receive them both but the next same message i’m receiving I will only receive them 24h after.
My english is not perfect, so I’m not sure if i’m clear enough please if i’m not clear, let me know i’ll try to show with pictures.
maybe solution is to play with “keys” here.
thank you.
//minouch
Ok i understand now. You may need to configure Create Events for Definition if.. This is under “Filter & Aggregation”.
If you have multiple message coming in within 24 hours but only want one in a 24 hours then perhaps
Using “Group by Field/s” then below that setting configure Create Events for Definition
Something like this:
Another question actually, in my case, shouldn’t I use “Message - String” instead of “source - string” ? cause the way I understand it, it’s based on source name or IP so I could miss some messages if another event is triggered with same IP ?
Message-String is the message field, most do dont if you st count how many message you have. I probably could come up with another suggestion if you could post what you trying to achieve.
but on graylog side, I received 9 messages in total (matching the same requirements) but only 4 different messages (see colors red green yellow and blue below)
idealy what i’m trying to achieve is to only receive one message per color and per day. so most likely in this situation i would have received only 4 emails. but in my case with settings you suggested me, I only received one email which is the top one in the list with blue rectangle.
