cvtienhoven
commented
6 years ago Hey, thanks for reaching out. Fair point about the search link, I wasn't too happy with that one myself when I streamlined the plugin with the native Graylog alerting. You're probably using the Email Alarm Callback, which is a built-in callback in Graylog. The Stream URL in that callback is compiled like this:
return baseUri + "/streams/" + stream.getId() + "/messages?rangetype=absolute&from=" + alertStart + "&to=" + alertEnd + "&q=*";
So unfortunamtely this does not leave room for adding a query or whatsoever to make the search link more specific. I'm going to investigate if I can implement a custom Email Callback that will be able to add a specific query to the stream link. As an aggregates rule can be triggered by multiple field values, you might still have some unrelated messages (because the number of matches is more/less than your rule defines) but it would be much more specific than the query *.
knightsg
When we receive alerts from aggregate rules it shows something like, " The same value of field 'example_field' occurs 20 or more times in a 1 minute interval". The alert does include a link to the Graylog search but it's very non-specific ("/streams/5b19a6cc37a39270d6136bdb/messages?q=*&rangetype=relative&relative=3600") which you have to painstakingly search through if there are lots of other unrelated messages in the list.
It would be incredibly helpful if the actual value of the field were included with the message as well as it makes troubleshooting much quicker. I don't see any way currently to customise the message or at least include the field value, but please correct me if I'm wrong. If not, then I'd like to suggest it as a possible future option or feature.