Forgot to set in the trigger setting the number of backlog to include... my bad!
On Wednesday, August 17, 2016 at 9:38:20 AM UTC-4, [email protected] wrote: > > Hi, > > So I have this stream to alert on specific event ID received. I do receive > the emails but it always shows <No backlog> instead of the last events. > > Example received email: > > ########## >> >> Alert Description: Stream had 517 messages in the last 120 minutes with >> trigger condition more than 3 messages. (Current grace time: 60 minutes) >> >> Date: 2016-08-15T20:15:45.724Z >> >> Stream ID: 578e75400ae2f10b11387f0d >> >> Stream title: AD Failed Logons >> >> Stream description: AD Failed Logons >> >> Stream URL: >> https://logs.domain.com/streams/578e75400ae2f10b11387f0d/messages?rangetype=absolute&from=2016-08-15T18:15:45.724Z&to=2016-08-15T20:15:45.724Z&q=* >> >> <https://logs.casgrain.ca/streams/578e75400ae2f10b11387f0d/messages?rangetype=absolute&from=2016-08-15T18:15:45.724Z&to=2016-08-15T20:15:45.724Z&q=*> >> >> >> >> Triggered condition: >> 7f6c6733-f3ae-4add-873c-dac3d81d0828:MESSAGE_COUNT={time: 120, >> threshold_type: more, threshold: 3, grace: 60}, >> stream:={578e75400ae2f10b11387f0d: "AD Failed Logons"} ########## >> >> >> >> <No backlog> >> > > Here is my callback: > > ########## >> >> Alert Description: ${check_result.resultDescription} >> >> Date: ${check_result.triggeredAt} >> >> Stream ID: ${stream.id} >> >> Stream title: ${stream.title} >> >> Stream description: ${stream.description} >> >> ${if stream_url}Stream URL: ${stream_url}${end} >> >> >>> Triggered condition: ${check_result.triggeredCondition} >> >> ########## >> >> >>> ${if backlog}Last messages accounting for this alert: >> >> >>> ${foreach backlog message} >> >> Source host: ${message.fields.source} >> >> Targeted Username: ${message.fields.TargetUserName} >> >> Source Username: ${message.fields.SubjectUserName} >> >> >>> ${end}${else}<No backlog> >> >> ${end} >> >> > I do have other streams that work fine however. > > Is there a way to debug this? I'll assume human error but in the event of > a bug, I'd like some "meat" before submitting a bug tracker. > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/cae01a83-0a61-4a3d-b404-7d75e78c83c4%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
