Multiple identical alert logs

[frantz45]

One alert log is generated for each backlog log. It should only generate multiples logs if there are different field's values in the backlog (for example multiple source IP addresses).

For example:

2022-12-22T11:03:30.841+01:00 INFO  [LoggingAlert] alert_id: 01GF0WERGYVBRRYSGYNM4DWK67-1056867426 | alert_title: rule1 | alert_description:  | severity: medium | create_time: 2022-12-22T10:03:30.602Z | detect_time: 2022-12-22T09:53:25.146Z | analyzer: graylog | sensor: host1 | source_command:  | source_file_name:  | source_host_name:  | source_ip_address:  | source_mac_address:  | source_port:  | source_process:  | source_tool:  | source_url:  | source_user_name:  | target_command:  | target_file_name:  | target_host_name: host1 | target_ip_address:  | target_mac_address:  | target_port:  | target_process:  | target_tool:  | target_url:  | target_user_name: root | file_name:  | file_hash:  | alert_url: https://fqdn/alerts | messages_url: /search?rangetype=absolute&from=2022-12-22T09%3A53%3A25.146Z&to=2022-12-22T10%3A04%3A30.616Z&streams=63189ffd28af5049e6eef5a8%2C63189ffd28af5049e6eef5cd&q=source%3A"host1" | custom:  | drilldown: P30M
2022-12-22T11:03:30.841+01:00 INFO  [LoggingAlert] alert_id: 01GF0WERGYVBRRYSGYNM4DWK67-1056867426 | alert_title: rule1 | alert_description:  | severity: medium | create_time: 2022-12-22T10:03:30.602Z | detect_time: 2022-12-22T09:53:25.146Z | analyzer: graylog | sensor: host1 | source_command:  | source_file_name:  | source_host_name:  | source_ip_address:  | source_mac_address:  | source_port:  | source_process:  | source_tool:  | source_url:  | source_user_name:  | target_command:  | target_file_name:  | target_host_name: host1 | target_ip_address:  | target_mac_address:  | target_port:  | target_process:  | target_tool:  | target_url:  | target_user_name: root | file_name:  | file_hash:  | alert_url: https://fqdn/alerts | messages_url: /search?rangetype=absolute&from=2022-12-22T09%3A53%3A25.146Z&to=2022-12-22T10%3A04%3A30.616Z&streams=63189ffd28af5049e6eef5a8%2C63189ffd28af5049e6eef5cd&q=source%3A"host1" | custom:  | drilldown: P30M
2022-12-22T11:03:30.841+01:00 INFO  [LoggingAlert] alert_id: 01GF0WERGYVBRRYSGYNM4DWK67-1056867426 | alert_title: rule1 | alert_description:  | severity: medium | create_time: 2022-12-22T10:03:30.602Z | detect_time: 2022-12-22T09:53:25.146Z | analyzer: graylog | sensor: host1 | source_command:  | source_file_name:  | source_host_name:  | source_ip_address:  | source_mac_address:  | source_port:  | source_process:  | source_tool:  | source_url:  | source_user_name:  | target_command:  | target_file_name:  | target_host_name: host1 | target_ip_address:  | target_mac_address:  | target_port:  | target_process:  | target_tool:  | target_url:  | target_user_name: root | file_name:  | file_hash:  | alert_url: https://fqdn/alerts | messages_url: /search?rangetype=absolute&from=2022-12-22T09%3A53%3A25.146Z&to=2022-12-22T10%3A04%3A30.616Z&streams=63189ffd28af5049e6eef5a8%2C63189ffd28af5049e6eef5cd&q=source%3A"host1" | custom:  | drilldown: P30M
2022-12-22T11:03:30.841+01:00 INFO  [LoggingAlert] alert_id: 01GF0WERGYVBRRYSGYNM4DWK67-1056867426 | alert_title: rule1 | alert_description:  | severity: medium | create_time: 2022-12-22T10:03:30.602Z | detect_time: 2022-12-22T09:53:25.146Z | analyzer: graylog | sensor: host1 | source_command:  | source_file_name:  | source_host_name:  | source_ip_address:  | source_mac_address:  | source_port:  | source_process:  | source_tool:  | source_url:  | source_user_name:  | target_command:  | target_file_name:  | target_host_name: host1 | target_ip_address:  | target_mac_address:  | target_port:  | target_process:  | target_tool:  | target_url:  | target_user_name: root | file_name:  | file_hash:  | alert_url: https://fqdn/alerts | messages_url: /search?rangetype=absolute&from=2022-12-22T09%3A53%3A25.146Z&to=2022-12-22T10%3A04%3A30.616Z&streams=63189ffd28af5049e6eef5a8%2C63189ffd28af5049e6eef5cd&q=source%3A"host1" | custom:  | drilldown: P30M

[c8y3]

First step:

• write a draft specification for the graylog-plugin-logging-alert plugin, with all required features and some use cases (some of which can be from the end-to-end tests and previous issues) and the initial specification document.
• Then we can decide a strategy: adapt or start from scratch with a simpler behaviour.
• If we plan to start from scratch, then we should consider #34