Unique notification

@gertz I had now a longer conversation with one of the developers. This gonna be a rough ride, so fasten your seat belt.

I might have a solution where you would get one email for every unique indecent, which you could configure a grace period for a couple of hours/days. That way the noise in the messages would be reduced.

1. I assume from your previous messages that you already extracted the ID in to its own message field called CN. If now then you should do so now.
2. Create/Edit the event definition, remove the aggregation part we only need the filter. There you adjust the query so only your log entries are visible which you want the alert to raise from.
   For example _exists_:CN:
   
   

   Graylog - Edit Event Definition (3)1595×1052 138 KB
   
   Go with Next to the tab Fields.
3. In the next step Fields we need to add a new Event Field which will group your events based on the key. That means you will get a email for every occurrence of a log entry distinct by the value of this field.
   
   

   Graylog - Edit Event Definition (4)1595×1052 102 KB
   
   Replace http_method with your field name CN.
4. In the next step you have to configure you notification. Here it is important to set a sensible grace period.
   
   

   Graylog - Edit Event Definition (5)1595×1052 86.8 KB
   
   I configured a grace period of 5 hours which means I will get a mail for every unique value in CN every 5 hours.

That should do the trick. I hope this helps. Let me know if something is not clear.

Best regards,
Konrad