Search / Event while not selecting duplicates

1. Describe your incident:*
We have events configured to send alerts based on a search. The search is as follows:
((alarm_name:ont-missing OR alarm_name:ont-dying-gasp) AND NOT calix_severity:CLEAR)

The event is set up as an aggregation, on a field source
Search within
5 minutes
Execute search every
5 minutes
Enable scheduling
Group by Field(s)
Create Events if
count() >= 5

This basically says “if more than 5 devices on a single source trip in 5 minutes, create an event”. The devices are defined by a field ont-id

Often, a single device will trip multiple times in 5 minutes, thus triggering this alert. However I would like to not trigger the event if the count >=5 is for the same device (ont-id).

How would i configure the search or the event in a way to do this?

2. Describe your environment:
Graylog 5.0.8+4c22532 on sparc-log01 (Eclipse Adoptium 17.0.6 on Linux 5.4.0-150-generic)

3. What steps have you already taken to try and solve the problem?
Tried various ways of crafting the search and looked at different ways to configure the event.

4. How can the community help?
Any advice appreciated.

My first guess would be to add add that field as a second “group by fields”, something like

Another thing you might try is to add a cardinality if statement, which would only count unique items.

I’m using the username field in this example as a place holder but you can change to suit your needs.

Hope that helps.

Excellent advice. Thanks I think the cardinality route might be the best. I will implement this and report back.

Would that be like the following?

Thats it! I’m curious to know how it works out.

Gotcha, thanks. My confusion was whether to leave the count() I already had, and add the card() to it, or to replace the count with card(). It does seem to make sense to need both to get the functionality I want.

Tried these options and they do not yield the correct result.

If I add the card() rule, i get zero notifications.

If I remove the count() rule and add the card() rule I get zero notifications.

Not sure what to do here, as I just want to filter out and not get alerts for the situations when there are 5 log entries withi5 5 minutes for the SAME ont-id field. I do want to get notifications for 5 or more log entries matching with DIFFERENT ont-id fields.

Thanks for any help!

Drew’s idea should work in theory. I would try and get the alert to fire so that we can see what values are being counted for count or card. To do this you could change the aggregation filter to like >0 or something that should almost always fire. Then once it’s fired you replay search (I think this was added in 5, but you may need to go to 5.1) and replay search will show you how all the values were aggregated etc so you can see exactly what data is there, what counts it is getting etc.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.