Hello,
I am struggling with flatline type of alert, when I want to set it to trigger an alarm when a log source is unavailable (number of events is below configured threshold).
This is my rule definition:
I am still getting alerts triggered even when I have 15 million documents per log source.
This is notifcation from today:
Temat: Following alert Syslog - DNS - Log source unavailable occured at 2021-06-15T00:42:18.901090Z
| Alert rule: | Syslog - DNS - Log source unavailable
-----------------------
| Timestamp: | 2021-06-15T00:42:18.901090Z
-----------------------
| Logsource: | ns1-bind9
An abnormally low number of events occurred around 2021-06-15 02:42 CEST.
Between 2021-06-14 18:42 CEST and 2021-06-15 02:42 CEST, there were less than 10 events.
And in this timeframe I had over 20 million documents from this logsource.
I am missing some point.
Could someone tell me what is the issue here?
Hello, I am struggling with flatline type of alert, when I want to set it to trigger an alarm when a log source is unavailable (number of events is below configured threshold). This is my rule definition:
I am still getting alerts triggered even when I have 15 million documents per log source. This is notifcation from today:
And in this timeframe I had over 20 million documents from this logsource. I am missing some point. Could someone tell me what is the issue here?