Hi, I am having a hard time triggering email by Graylog, please help.
My log file periodically generates something like “statistics: message age: 60”
And I want to be alerted when the message age is higher than a threshold number.
Here’s my setup,
System Inputs: FileBeat log Input with regular expression extractor defined to extract the “age” field such like “age: 100” as a numeric field.
Input Stream: An RegEx stream when "age: " keyword shows up in the input
I can verify that I do see the “age” field get populated with the correct value ( from the message stream dashboard )
Alert Condition: A Field Aggregate Alert Condition described as “Alert is triggered when the field age has a higher max value than 5 in the last minute. Grace period: 1 minute. Including last 5 messages in alert notification. Configured to not repeat notification”
Condition Detail: Age Condition
Field: age
Time Range: 1
Threshold Type: higher
Threshold: 5
Aggregation Type: max value
Grace Period: 1
Message Backlog: 5
Repeat notifications: false
Alert Notification: An email setup that verified to work ( by other alert conditions ).
It looks like my Alert Condition is never met and never triggered, do I have to do anything special if it’s a custom field?