Hi Avdhoot, the alerting implementation in Graylog is using Elasticsearch queries internally. Depending on how long it takes to index messages and depending on the timestamp of the messages, it might happen that the alert condition isn't met within a sliding window of 60 seconds. Additionally the alert conditions are only checked every 60 seconds by default (see https://github.com/Graylog2/graylog2-server/blob/1.1.5/misc/graylog2.conf#L294-296) so that there are quite some edge cases which might lead to missing some alerts.
You could either reduce the alert check interval in the configuration file of Graylog (this will cause a performance impact, though) or increase the check window to 5 minutes instead of 1 minute (alert if more than 1 message in the last 5 minutes appeared in the stream). Cheers, Jochen On Wednesday, 5 August 2015 08:15:21 UTC+2, Avdhoot Dendge wrote: > > > It should send mail when stream recived any message then wait for 1 min to > send another one. Note: from past 7days strem not generating any alert > when stream have more than 0 message in minitue. > > Alert condition: > *Alert is triggered when there are more than 0 messages in the last > minute. Grace period: 1 minute. Including last 2 messages in alert > notification.* > > On Tuesday, August 4, 2015 at 5:47:11 PM UTC+5:30, Jochen Schalanda wrote: >> >> Hi Avdhoot, >> >> how does your alert condition look like and what should it do actually? >> >> Cheers, >> Jochen >> >> On Tuesday, 4 August 2015 13:04:11 UTC+2, Avdhoot Dendge wrote: >>> >>> >>> Need help to debug why graylog is not generating alert even alert >>> condition satisfied. Please check below screenshot for alert conditions & >>> stream histogram of 30 min. >>> >>> >>> Message count condition >>> Alert is triggered when there are more than 0 messages in the last >>> minute. Grace period: 1 minute. Including last 2 messages in alert >>> notification. >>> >>> <https://lh3.googleusercontent.com/-Y6zHelHlsVU/VcCJVFAwffI/AAAAAAAAECU/5xUdwpG2B0Q/s1600/graylog_histo.png> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/385b401c-9a7b-4fbf-b150-b84d538d84f7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
