It’s possible to setup agregation for alert (notification) for unique values?
I tried:
If
count() - variable > 1
variable is value returned from messages
I using graylog v3.1.3
Hi gertz,
the screenshot was made with 3.2 but this should do the trick with 3.1
It alerts when in the last 4 minute a message exists only 1 time.
If you meant something else, let me know and we figure something out.
1 Like
I have hundreds messages per day like
CN=25-484-154
CN=25-484-154
CN=25-447-154
CN=25-484-154
CN=25-447-154
CN=25-447-154
this is CN=25-447-154 already extracted from patern. (in my prev. mess. it was VARIABLE)
and I need to send wia mail just something like.
CN=25-447-154
CN=25-484-154
Can you describe me the condition in your words when the email needs to be send?
I am not able to see the pattern when you want to send the email. But I am pretty sure we will find a solution.
Best regards,
Konrad
I have lot of devices with expire certificate and from logs (what send one host) I extrac ID of device like: CN=25-484-154, but that device send this error many times per hour. I need only send information in one mail with all device ID whitch is unique withou duplicity.
my patern for value CN=[\s*a-zA-Z0-9._-]+
search query: “VERIFY ERROR: depth=0, error=certificate has expired: CN=”
sending on daily base
@gertz I had now a longer conversation with one of the developers. This gonna be a rough ride, so fasten your seat belt.
I might have a solution where you would get one email for every unique indecent, which you could configure a grace period for a couple of hours/days. That way the noise in the messages would be reduced.
- I assume from your previous messages that you already extracted the ID in to its own message field called
CN. If now then you should do so now. - Create/Edit the event definition, remove the aggregation part we only need the filter. There you adjust the query so only your log entries are visible which you want the alert to raise from.
For example_exists_:CN:
Go withNextto the tabFields. - In the next step Fields we need to add a new Event Field which will group your events based on the key. That means you will get a email for every occurrence of a log entry distinct by the value of this field.
Replacehttp_methodwith your field nameCN. - In the next step you have to configure you notification. Here it is important to set a sensible grace period.
I configured a grace period of 5 hours which means I will get a mail for every unique value inCNevery 5 hours.
That should do the trick. I hope this helps. Let me know if something is not clear.
Best regards,
Konrad
3 Likes
Thank you for fast reply I will try your solution, its better that 500+ mails per day 
1 Like
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.