Graylog v2.3.2
My goal is to have a condition raise an alert, and the alert remain open until it's marked resolved or a defined resolved condition applies.
I have an alert setup and here is the condition configuration:
Configuration: Alert is triggered when messages matching
<full_message: "*Short*"> are received. Grace period: 15 minutes.
Including last 2 messages in alert notification. Configured to not
repeat notifications.
The alert triggers fine, but then it self-resolves.
Here is the logs….
2018-01-04 23:56:23.699
Graylog checks test_alert (Field Content Alert Condition) condition on stream All messages
2018-01-04 23:56:23.699
Stream received messages matching <full_message:"Short"> (Current grace time: 15 minutes)
2018-01-04 23:56:23.699
Graylog triggers an alert for test_alert (Field Content Alert Condition) and starts sending notifications
2018-01-04 23:56:23.699
No notifications were configured for this alert
2018-01-04 23:56:28.526
Condition is no longer satisfied, alert is marked as resolved
Why did it say "Condition is no longer satisfied" and resolve the alert?
My goal is to keep the alert open until someone resolves it or it's resolved through another condition/etc
Best Answer
Alerts in Graylog are basically scheduled searches. If the search result isn't empty (or more generally the alert condition is triggered), the alert is triggered (or active). Once the scheduled search doesn't return any results (or the alert condition is not triggered), the alert will be resolved.
Please refer to http://docs.graylog.org/en/2.3/pages/streams/alerts.html for more details about alerts in Graylog.
That's not possible as of Graylog 2.4.0.
Feel free to create a feature request at https://github.com/Graylog2/graylog2-server/issues/