I wanted to make sure I’m using macros.past_$m correctly. The documentation has the following example:
%syslog.timestamp >= %macros.past_5m
Which I interpret to mean the syslog.timestamp is greater than, or equal to, five minutes old. If the test is for an event within the last five minutes, wouldn’t the following make more sense?
%syslog.timestamp <= %macros.past_5mThat will match entries older over 5 minutes. He example is to match within the last 5 minutes as the alert will then clear off.
The way I interpret the first one is it will match if the timestamp is older (greater than),or equal to, five minutes. While the second will match if the timestamp is newer than (less than), or equal to, five minutes. Is that not correct?
%syslog.timestamp >= %macros.past_5m
=
Syslog timestamp column: 2017-01-15 14:50:40 >= 2017-01-15 14:45:40
past_5m is always 5 minutes before the current time, so if the syslog entry is >= 5 minutes earlier then the alert will trigger.