Let me first explain what we're trying to achieve with a practical example to see if there is a way to achieve it without creating multiple streams with identical rules.
Example Stream: Let's keep it simple Messages that include Error 500 Alert Triggered for every message that shows up in this stream Trigger alert when there are moreless than messages in the last minute and then wait at least minutes until triggering a new alert. (grace period) When sending an alert, include the last messages of the stream evaluated for this alert condition. Callback Graylog Jira intergration plugin Create a new jira ticket if one for the same endpoint doesn't exist. (ie no repeat tickets for the same endpoint) This all works out fine. Now we want to add another alert condition so that if we get > 5 errors per minute (abnormal situation), we want to send out an email or sms alert. Easy to create the alert, but how do you create the email / sms callback to associate to this alert and not to every other alert. Basically decouple the alerts from the callbacks and map which alert or combination of alerts trigger which callback. Of course we can achieve this by creating another stream with the exact same stream rules and set the alert / callback in this new stream. But that has a cost, the actual rules match for the stream is more complex than a simple one field match, and it's costly to repeat that if we want different alert / callback combinations. How do others do this? Perhaps using pipelines? Perhaps we're not fulling understanding stream | stream rules | alerts | callbacks flow? Thanks -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/98cec44a-7179-47c2-a921-8dedec785db7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
