Feature request : being able to use keywords in alerting system

[pirona]

When creating an alert / event with condition type filter & aggregation, the time period can only be numerical values in seconds / hours / minutes

Expected Behavior

Being to use keyword search when configuring an event / alert

Current Behavior

Functionality not implemented, one can only use numerical values in seconds / minutes / hours when configuring an event / alert/

Possible Solution

Add a keyword field as in streams searches.

Steps to Reproduce (for bugs)

Create an event / alert, choose filter & aggregation condition type. Try to configure a relative period of time : you can't

Context

It would be interesting to be able to use keywords, as in stream searches. For instance, I am monitoring Java's garbage collector, and especially the full invocation cardinality : the value itself is not interesting but the number of full invocations within a period of time is. Which leads me to search for full invocation in the present day since midnight, which I can do in streams and not in alerts / events.

Your Environment

One graylog node

• Graylog Version: 3.1.2-1
• Elasticsearch Version: 6.8.3
• MongoDB Version: 1:3.2.11-2+deb9u1
• Operating System: Debian 9.11
• Browser version: not relevant : last firefox

[kroepke]

To me this sounds like we should generally improve the date-time picker widget.

The keyword parser has some nasty, hard to understand edge cases and in the end it's almost as hard to use as an improved picker UI, because the user typically needs to double check the actual time range it resolves to.

I believe this is valuable to have in dashboards, reports and searches as well, which will all share the same search engine in 3.2.

Thanks for your request!

[pirona]

No worries, always available to give you guys some extra work ;)

[dnadamslw]

Any progress on this? I need some event definitions to alert based on whether or not a message timestamp happened between say 6AM and 7AM only.