Setting up an alert condition - how to specify "today"?

Hello all. New to Graylog. I have set up my first email alert and it’s working - too well.

As a trial, I set up an alert for when any user gets added to a specific domain user group. I added a user, and it triggered as it should. However, it keeps sending me alert emails every ~24 hours, because the condition is still true.

So, I figure maybe my condition needs to specify “if this thing happened today” as well, but I can’t find any way of specifying that condition. Anyone able to help me out?

Thanks,
A

• how did you ingest the logs?
• in what time did you search for the alert?

Today is not possible - you need to adjust your search time or kind of alert.

The logs are being fed into Graylog from a Windows DC via NXlog.
If it’s not possible to specify ‘today’ in the search criteria, how may I achieve my goal? The current alert works as I want it to, only that it continues to alert me every 24 hours about that single event.

the question is why is the same event shown all 24 hours again?

It looks to me that it’s because the condition is still valid - under the Alerts section it still shows as unresolved.

So, I think I may have resolved this by setting the Message Backlog to 1 instead of 0. Tentatively, it seems to have resolved the issue of recurring alerts.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.