Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clearing Event Definition Aggregation "Select Field" causes events to trigger spuriously #21278

Open
woodsb02 opened this issue Jan 7, 2025 · 0 comments
Open

Clearing Event Definition Aggregation "Select Field" causes events to trigger spuriously #21278

woodsb02 opened this issue Jan 7, 2025 · 0 comments
Labels
bug

Comments

@woodsb02
Copy link

woodsb02 commented Jan 7, 2025

When creating or editing an Event Definition using Aggregation, if the "Select Field (Optional)" is temporarily populated and then cleared, it sets this field an empty string "" in this field, which changes the event behaviour from if that field had never been populated (field set to null).

This causes aggregations using count() == 0 to spuriously trigger, even though there are logs shown using the "replay search" button on the triggered event.

Details and screenshots can be seen in this forum thread: https://community.graylog.org/t/events-triggering-count-0-even-though-replay-search-shows-logs/34592

Expected Behavior

Temporarily populating the "Select Field (Optional)" and then clearing it again should have the same behaviour as that when it has never been populated.

Current Behavior

Temporarily populating the "Select Field (Optional)" and then clearing it again causes the event to detect zero logs even though there are some.

Possible Solution

  1. Change the Event Definition web form to set the field to null instead of an empty string "" when clearing the value, OR
  2. Change the event processing logic to treat null or empty string "" in the same way (exclude field from algorithm)

Steps to Reproduce (for bugs)

  1. Create an event definition with a search query that reliably matches log entries
  2. Add aggregation count() == 0 (DO NOT TOUCH THE "Select Field (Optional)" when defining)
  3. Notice that the event correctly does NOT trigger (since there are logs and therefore count() is greater than 1)
  4. Edit event definition to temporarily populate the "Select Field (Optional)" and then clear it again with the "X". Save the edited event definition.
  5. Notice that the event now triggers even though there are logs and therefore count() should be greater than 1.
  6. Use replay search on triggered event to show that there were indeed logs.

Context

I discovered this when trying to create event definitions for "No logs received from host xyz".
I have worked around this by using curl to do a GET of the event definition, and then a PUT of the event definition with only the series field value changed from “” to null.

$ curl -u USERNAME:"PASSWORD" -H "Accept: application/json" -X GET "https://graylog.woods.am/api/events/definitions/6779f186970c084e8e0a8f38"

{"_scope":"DEFAULT","id":"6779f186970c084e8e0a8f38","title":"No logs from homeassistant.woods.am","description":"","updated_at":"2025-01-06T02:00:24.800Z","matched_at":"2025-01-05T09:51:26.801Z","priority":2,"alert":true,"config":{"type":"aggregation-v1","query":"source:\"homeassistant.woods.am\"","query_parameters":[],"filters":[],"streams":["000000000000000000000001"],"stream_categories":[],"group_by":[],"series":[{"type":"count","id":"count-","field":""}],"conditions":{"expression":{"expr":"==","left":{"expr":"number-ref","ref":"count-"},"right":{"expr":"number","value":0.0}}},"search_within_ms":300000,"execute_every_ms":300000,"use_cron_scheduling":false,"cron_expression":null,"cron_timezone":null,"event_limit":100},"field_spec":{"source":{"data_type":"string","providers":[{"type":"template-v1","template":"homeassistant.woods.am","require_values":false}]},"message":{"data_type":"string","providers":[{"type":"template-v1","template":"No logs received for >5 mins","require_values":false}]}},"key_spec":[],"notification_settings":{"grace_period_ms":3600000,"backlog_size":0},"notifications":[{"notification_id":"676f7274eccf2a0bc86dcd88","notification_parameters":null}],"storage":[{"type":"persist-to-streams-v1","streams":["000000000000000000000002"]}],"scheduler":null,"state":"ENABLED"}

$ curl -u USERNAME:"PASSWORD" -H "Content-Type: application/json" -H "X-Requested-By: cli" -X PUT -d '{"_scope":"DEFAULT","id":"6779f186970c084e8e0a8f38","title":"No logs from homeassistant.woods.am","description":"","updated_at":"2025-01-06T02:00:24.800Z","matched_at":"2025-01-06T02:02:34.993Z","priority":2,"alert":true,"config":{"type":"aggregation-v1","query":"source:\"homeassistant.woods.am\"","query_parameters":[],"filters":[],"streams":["000000000000000000000001"],"stream_categories":[],"group_by":[],"series":[{"type":"count","id":"count-","field":null}],"conditions":{"expression":{"expr":"==","left":{"expr":"number-ref","ref":"count-"},"right":{"expr":"number","value":0.0}}},"search_within_ms":300000,"execute_every_ms":300000,"use_cron_scheduling":false,"cron_expression":null,"cron_timezone":null,"event_limit":100},"field_spec":{"source":{"data_type":"string","providers":[{"type":"template-v1","template":"homeassistant.woods.am","require_values":false}]},"message":{"data_type":"string","providers":[{"type":"template-v1","template":"No logs received for >5 mins","require_values":false}]}},"key_spec":[],"notification_settings":{"grace_period_ms":3600000,"backlog_size":0},"notifications":[{"notification_id":"676f7274eccf2a0bc86dcd88","notification_parameters":null}],"storage":[{"type":"persist-to-streams-v1","streams":["000000000000000000000002"]}],"scheduler":null,"state":"ENABLED"}'

Your Environment
@woodsb02 woodsb02 added the bug label Jan 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@woodsb02