Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Events Event Limit is counterintuitive, throws a system error #20785

Closed
drewmiranda-gl opened this issue Oct 24, 2024 · 3 comments · Fixed by #21080
Closed

Events Event Limit is counterintuitive, throws a system error #20785

drewmiranda-gl opened this issue Oct 24, 2024 · 3 comments · Fixed by #21080
Assignees
@patrickmann
Labels
backend bug good first issue triaged

Comments

@drewmiranda-gl
Copy link
Member

Graylog Events using "Filter & Aggregation" Condition Type have 2 options for 'Create Events for Definition if...'

  1. Filter has results
  2. Aggregation of results reaches a threshold

When using 'Filter has results', you are now REQUIRED to specify an event limit, between 1 and 1000. Once this limit is reached (not exceeded) a Graylog system alert is generated:

Event limit »1« reached for event definition »EventDefinitionTitle(<Event_definition_id>)«. Try to use a more specific search query or use aggregations. Otherwise try to raise the limit.

However this is confusing for a couple of reasons:

  • you are not allow to remove this limit (technically you can edit the event definition and set the limit to 0 but this is not a good idea)
  • This is the only way to control how many events get generated and preventing a flood of events (which is this features original intent)

This is to say, its 100% expected that this event limit will be reached. I don't think a system alert should be generated and the advice it gives is counter to the intended outcome.

Expected Behavior

Using Event limit as its intended should not throw a system alert

Current Behavior

Once the event limit is reached (even if the limit is set to 1 and 1 message is returned), a system event is generated.

Possible Solution

Remove this system alert, or at least allow the user to disable it either globally or per event.

Steps to Reproduce (for bugs)

  1. Create a "Filter & Aggregation" event
  2. Set 'Create Events for Definition if...' to 'Filter has results'
  3. Set limit to 1
  4. Allow event to fire

Context

Attempting to create a simple event that fires if the search query is met and prevent more than a single event from being created. This generated a system event which is not actionable and technically not solvable other than changing 'Create Events for Definition if...' to 'Aggregation of results reaches a threshold' which is the workaround i will use.

Your Environment

  • Graylog Version: 6.1.0
  • Java Version: Bundled
  • OpenSearch Version: 2.15.0
  • MongoDB Version: 7.0.14
  • Operating System: Ubuntu Server 22.04 LTS
  • Browser version: Google Chrome Version 129.0.6668.101 (Official Build) (arm64)

Happy to discuss! Let me know if there are any questions.
@drewmiranda-gl drewmiranda-gl changed the title Event Event Limit is counterintuitive, throws a system error Events Event Limit is counterintuitive, throws a system error Oct 24, 2024
@tellistone
Copy link

image

Can see this popping up on test-dev-ng with stock config

@tellistone
Copy link

As Drew suggests - this should not be a notification pop-up. Printing a message to Graylog's log file would be adequate. This message is INFO urgency equivalent.

@tellistone
Copy link

Image

Can we also update this copy: "Maximum number of events to be created per execution of this Event Definition. If a greater number of events would be created than the limit allows, excess events not recorded."

@patrickmann patrickmann self-assigned this Nov 29, 2024
@patrickmann patrickmann mentioned this issue Nov 29, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@patrickmann patrickmann

Labels
backend bug good first issue triaged
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove EVENT_LIMIT_REACHED notification Graylog2/graylog2-server
4 participants
@patrickmann @tellistone @drewmiranda-gl @sethgraylog