Hi, that's certainly possible.
Simply create a stream containing only the messages of that single system (e. g. by checking the value of the "source" message field) and create a stream alert which will go off if the stream contains more than X messages within the last 60 minutes. - http://docs.graylog.org/en/2.1/pages/streams.html - http://docs.graylog.org/en/2.1/pages/streams/alerts.html#message-count-condition Cheers, Jochen On Wednesday, 7 September 2016 19:04:56 UTC+2, ironmanmk42 wrote: > > Graylog 1.3.2 (for now and looking to implement graylog 2.1) = > > Is it possible to setup a stream to alert if the number of messages from a > single sources exceeds a count? > I have some misbehaving apps on hosts which suddenly send over a million > syslogs in say an hour or two because of a faulty app. > It would be great to have a stream which can alert with the source and > message count over last 1 hour if say > 1million. > > Thanks, > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/c53d5502-3240-4254-90de-84aceba9d018%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
