Support for flexible alert rule conditions

As a system administrator I would like to be able to combine the 3 different alert conditions using flexible AND / OR rules.

The use case is to get alerts when x number of messages (Message Count) matching "Field value condition" and / or matching a "Field content condition" ie. :

Alert me when there are more than 10 messages with the 'severity' field set to critical or when more than 20 messages have a std_deviation value of the 'response_time' field higher than x.

  • Matt Maloney
  • Apr 4 2017
  • Planned
  • Attach files
  • Duje Jurica commented
    April 4, 2017 20:49

    I think that is a great idea, it would be really useful.

  • Kevin Vaughn commented
    April 4, 2017 20:49

    Graylog is the perfect blend of simplicity and sophistication for the most part; however, the lack of ability to set alerts based on compound conditions is a problem. We want Graylog to do this, not some other system.

  • Admin
    Jan Doberstein commented
    April 4, 2017 20:49

    with our new pipeline plugin this will be possible: http://docs.graylog.org/en/2.0/pages/pipelines.html


    just give it a try!

  • Softlink commented
    April 4, 2017 20:49

    Completely agree, inability to AND conditions makes alerts almost useless for a lot of situations.

  • Cristiano Casado commented
    April 4, 2017 20:49

    Hi Jan. Could you publish some examples about use of alert with pipelines?  

  • Ray Cannon commented
    April 4, 2017 20:49

    I agree with the comments here.  Improving the alerts is a must and would take Graylog from great to amazing.  I am also interested to see examples of how pipelines could be used for alerting.

  • Kyle Weller commented
    April 4, 2017 20:49

    Also please add better content to alert messages

  • Kyle Weller commented
    April 4, 2017 20:49

    Or organization needs better alerts and templates, please prioritize this

  • Admin
    Lennart Koopmann commented
    April 7, 2017 21:12

    Confirming that this will be available in Graylog v3.0, which is planned for the end of 2017.