I have some alerts set up that trigger after a period without any log messages. For the most part they work as expected but I get the occasional false positive. All of the alerts that trigger due to there being log messages within a given time frame work as expected and I haven't had any false positives. An example of a false positive is an alert on a stream that constantly has log messages coming in to it with no real break. I have an alert that should trigger if there have been no logs in the past hour. In the past week it's triggered three times without there ever being an hour gap (or even close to an hour). So it's usually evaluating things correctly, just not all the time, which makes the alert much less useful. For a while I thought there might be a delay in graylog flushing the logs in to ES but that would have to be a really big delay for it to trigger for the hour time period. Any ideas on how I can troubleshoot this or get some more detail on how it's evaluating the conditions that lead to the alert to trigger?
-- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/e7685b6e-0974-47b9-adcd-71e1a404c83a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
