tellistone
commented
2 weeks ago Can see this popping up on test-dev-ng with stock config
Open drewmiranda-gl opened 3 weeks ago
tellistone
commented
2 weeks ago Can see this popping up on test-dev-ng with stock config
tellistone
commented
2 weeks ago As Drew suggests - this should not be a notification pop-up. Printing a message to Graylog's log file would be adequate. This message is INFO urgency equivalent.
tellistone
commented
1 week ago Can we also update this copy: "Maximum number of events to be created per execution of this Event Definition. If a greater number of events would be created than the limit allows, excess events not recorded."
Graylog Events using "Filter & Aggregation" Condition Type have 2 options for 'Create Events for Definition if...'
When using 'Filter has results', you are now REQUIRED to specify an event limit, between 1 and 1000. Once this limit is reached (not exceeded) a Graylog system alert is generated:
However this is confusing for a couple of reasons:
This is to say, its 100% expected that this event limit will be reached. I don't think a system alert should be generated and the advice it gives is counter to the intended outcome.
Expected Behavior
Using Event limit as its intended should not throw a system alert
Current Behavior
Once the event limit is reached (even if the limit is set to 1 and 1 message is returned), a system event is generated.
Possible Solution
Remove this system alert, or at least allow the user to disable it either globally or per event.
Steps to Reproduce (for bugs)
Context
Attempting to create a simple event that fires if the search query is met and prevent more than a single event from being created. This generated a system event which is not actionable and technically not solvable other than changing 'Create Events for Definition if...' to 'Aggregation of results reaches a threshold' which is the workaround i will use.
Your Environment
Happy to discuss! Let me know if there are any questions.