Update: I seem to have come to a conclusion on the source of this issue, by lowering the value of alert_check_interval in server.conf to a value less than 60.
If anyone is interested in why this works the way it does: Alerts are monitored through the AlertScannerThread periodic task, which runs every x seconds, where x is what alert_check_interval is set to in your server.conf file. By default, this is 60. Grace period allows you to throttle alerts so that it is only run every few minutes, but again, if the grace period is shorter than alert_check_interval, then the check will only occur outside of a grace period for any given alert. So, grace period can only be used to delay alerts and prevent an overwhelming amount of alarms, but not to trigger an alert on every message. On Tuesday, November 8, 2016 at 1:50:06 PM UTC-5, Jordan McMichael wrote: > > Hi, > > If the grace period is set to 0, should a Field Content Alert Condition > trigger for every message that passes through it? > > I am working on an error tracking system, where each stream represents a > separate reason for a developer to be notified, whether this is per page, > application, etc. In order to create this, I need a way to trigger an > action to occur on each message, and I need to know what stream it is > coming from. There will be a periodic task that sends out notifications at > regular intervals after the first notification occurs, in addition to a > couple other conditions. > > Since this system will be notifying on errors in a production environment, > the initial notification needs to be sent when the first instance of an > error in some time occurs. In addition, since any error could pass through > multiple streams, I also need to track which stream it is passing through. > My go to in this case, then, is Alert Conditions and AlarmCallbacks. > Specifically, I am using a Field content value alert condition. > > What I am seeing, however, is that when grace period is set to 0(minutes), > I only get a notification once a minute. I would expect that from a grace > period of 1(minute), but I am not sure if I'm misunderstanding what the > grace period means. > > Is this intended functionality? My life would be made much easier if I > could have the alarm trigger on every message. > > Using graylog 2.1.2, package install. > > Thank you, > > Jordan McMichael > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/ab62a3de-8158-4dad-a858-49644f5b6aed%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
