Hello jochen, As you suggested increasing check window time (3min) solved the problem. Thanks for detailed info regarding alert implementation and workaround.
On Wednesday, August 5, 2015 at 1:48:31 PM UTC+5:30, Jochen Schalanda wrote: > > Hi Avdhoot, > > the alerting implementation in Graylog is using Elasticsearch queries > internally. Depending on how long it takes to index messages and depending > on the timestamp of the messages, it might happen that the alert condition > isn't met within a sliding window of 60 seconds. Additionally the alert > conditions are only checked every 60 seconds by default (see > https://github.com/Graylog2/graylog2-server/blob/1.1.5/misc/graylog2.conf#L294-296) > > so that there are quite some edge cases which might lead to missing some > alerts. > > You could either reduce the alert check interval in the configuration file > of Graylog (this will cause a performance impact, though) or increase the > check window to 5 minutes instead of 1 minute (alert if more than 1 message > in the last 5 minutes appeared in the stream). > > > Cheers, > Jochen > > On Wednesday, 5 August 2015 08:15:21 UTC+2, Avdhoot Dendge wrote: >> >> >> It should send mail when stream recived any message then wait for 1 min >> to send another one. Note: from past 7days strem not generating any alert >> when stream have more than 0 message in minitue. >> >> Alert condition: >> *Alert is triggered when there are more than 0 messages in the last >> minute. Grace period: 1 minute. Including last 2 messages in alert >> notification.* >> >> On Tuesday, August 4, 2015 at 5:47:11 PM UTC+5:30, Jochen Schalanda wrote: >>> >>> Hi Avdhoot, >>> >>> how does your alert condition look like and what should it do actually? >>> >>> Cheers, >>> Jochen >>> >>> On Tuesday, 4 August 2015 13:04:11 UTC+2, Avdhoot Dendge wrote: >>>> >>>> >>>> Need help to debug why graylog is not generating alert even alert >>>> condition satisfied. Please check below screenshot for alert conditions & >>>> stream histogram of 30 min. >>>> >>>> >>>> Message count condition >>>> Alert is triggered when there are more than 0 messages in the last >>>> minute. Grace period: 1 minute. Including last 2 messages in alert >>>> notification. >>>> >>>> <https://lh3.googleusercontent.com/-Y6zHelHlsVU/VcCJVFAwffI/AAAAAAAAECU/5xUdwpG2B0Q/s1600/graylog_histo.png> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/f829c01d-a3e8-43f2-ba44-ca7422a6da8f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
