Graylog v2.0.3 I think the "alert condition" is the problem. I don't have one set right now. I thought that the capture of the message into the stream was the setting of the condition to trigger the alert.
I didn't set the one inside the stream itself, wasn't sure my use case matched what it wanted. I am getting a hit on a regex expression found as a part of a field (message). But, the only choices are: Message Count Field Value Field Content Value The first two don't fit the context of what I'm alerting on and the alert behavior I want, the last one might but I don't know what to put in its settings. I'm sure that the first field would be "message" same as triggered in the original route of the message to the stream, but don't know what "set to" is going to be. Do I enter the same regex expression I put in the original filter to route it, or plain text "is down"? What exactly are the rules and syntax for what goes in these fields? Trigger alert when a message arrives that has the field set to and then wait at least minutes until triggering a new alert. (grace period) Thanks, Rob Rob Reinhardt Vice President, Operations Healytics, Inc. On Wed, Aug 17, 2016 at 6:44 AM, Jochen Schalanda <[email protected]> wrote: > Hi Rob, > > which version of Graylog are you using? > > Are there any messages in the stream you've created? > > Did you create a proper alert condition (and if so, what is it)? > > Cheers, > Jochen > > On Tuesday, 16 August 2016 20:25:33 UTC+2, Rob Reinhardt wrote: >> >> I have OpenNMS writing all events to syslog and graylog2 is ingesting all >> syslog messages via logstash/gelf. >> >> The messages get into graylog2 fine and I can search them. >> >> I configured a stream and tested the e-mail with dummy e-mail and the >> e-mail makes it to me just fine. >> >> My stream uses a regex to find the words "is down" (from a typical >> OpenNMS node is down event, and the stream "Test against stream" finds it >> and in live running it also says that it successfully routed it [ this is >> the actual regex if your curious and it works: >> \bis\W+(?:\w+\W+){0,2}?down\b ] >> >> Routed into streams >> >> - Watching OpenNMS Reporting that a Node is Down >> <http://172.16.12.55:9000/streams/57b1da2f738065109b1608a2/search> >> >> >> However, after all that the e-mail doesn't fire and the counter I created >> for the dashboard still says 0. >> >> Any ideas what could be wrong? >> >> Thanks, >> Rob >> > -- > You received this message because you are subscribed to a topic in the > Google Groups "Graylog Users" group. > To unsubscribe from this topic, visit https://groups.google.com/d/ > topic/graylog2/V6-4tLNC60Y/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/graylog2/6504b487-894b-443b-ac60-d9dc2f37d25e%40googlegroups.com > <https://groups.google.com/d/msgid/graylog2/6504b487-894b-443b-ac60-d9dc2f37d25e%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CAHT%2BW7VBB4qx1Eh5T7kL6uPz3ZoGt3YsO3OREyMK091b8qQU3A%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
