Hi Jochen, OK noted. Let me give a try first. I create an alert:
Then after 5 minutes I receive the email alert from Graylog: ########## Alert Description: Stream had 500 messages in the last 5 minutes with trigger condition more than 1 messages. (Current grace time: 0 minutes) Date: 2016-08-01T09:49:33.335Z Stream ID: 578487e3df0096104a32a112 Stream title: Testing-Alert Stream description: Set alert test *Stream URL: http://graylog-test.net/streams/578487e3df0096104a32a112/messages?rangetype=absolute&from=2016-08-01T09:44:33.335Z&to=2016-08-01T09:49:33.335Z&q=** Triggered condition: a1facab9-b979-40df-94da-60769a1f1bd2:MESSAGE_COUNT={time: 5, threshold_type: more, threshold: 1, grace: 0}, stream:={578487e3df0096104a32a112: "Testing-Alert"} ########## <No backlog> I click on the *Stream URL* and its gives me list of the message with *level:3* from various sources: OK. these is what I want. So from here I can analyze the data for *level:3 message* only rather that query them in the search right? -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/a5c27811-d7b1-40b9-9fb4-e862ecc4a21d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
