Hi, that's certainly possible.
Simply create a stream containing only the messages of that single system (e. g. by checking the value of the "source" message field) and create a stream alert which will go off if the stream contains more than X messages within the last 60 minutes. - http://docs.graylog.org/en/2.1/pages/streams.html - http://docs.graylog.org/en/2.1/pages/streams/alerts.html#message-count-condition Cheers, Jochen On Wednesday, 7 September 2016 19:04:56 UTC+2, ironmanmk42 wrote: > > Graylog 1.3.2 (for now and looking to implement graylog 2.1) = > > Is it possible to setup a stream to alert if the number of messages from a > single sources exceeds a count? > I have some misbehaving apps on hosts which suddenly send over a million > syslogs in say an hour or two because of a faulty app. > It would be great to have a stream which can alert with the source and > message count over last 1 hour if say > 1million. > > Thanks, > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/c53d5502-3240-4254-90de-84aceba9d018%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
