Hello,
I have this Alert Rule:
syslog.timestamp >= “macros.past_5m” AND syslog.msg REGEXP “.segfault.”
To search for ‘segfault’ in syslog msg’s.
The Rule is also triggerd wenn there are Msg’s older than 5 Minutes.
Is my understanding wrong? That only the first 5 Minutes from now should be triggert?
And is there a way to display the syslog timestamp in the alert template? %values.string there is no timestamp.
regards Christian
I had the same problem a few days ago, basically I think “macros.past_5m” shouldn’t be in quotes, for some reason the GUI adds it.
When creating the alert, I just chose Import from old syntax, and put in the query like this,
syslog.timestamp >= macros.past_5m AND syslog.msg REGEXP ".segfault."
My query does have a timestamp with the output of %value.string but no way to pull it out separately that i can find. Perhaps this is configurable on either syslog or the box itself. The only other way i can find is just the alert timestamp of %timestamp
Yes that was ist! thank you! saved many time!
For anyone else who finds this, you can also put backticks around macro.past_5m to have the GUI correctly parse it.
