Alert threshold "count()" wrong numbers #23950
Description
Expected Behavior
When creating an alert for a message to cross a threshold in a given time by using the Aggregation -> count() definition and setting the search range to a defined value an alert should be produced.
The count() function should count the amount of given events in the given time range.
Current Behavior
The count() function produces absurd numbers. Message Replay delivers no results aswell as manual search.
Alerts are triggered although alert condition does not match.
Steps to Reproduce (for bugs)
- Create new Alert
- Enable Aggregation and threashold
- Set condition to count()
- See number of counts
Context
I am trying to set up an alert for when there is a high number of failed logins to our VPN. I want to achive this by counting those exact messages from our firewall. Although no events were logged, the count() function returns absurdly high numbers
Your Environment
- Graylog Version: 6.3.4
- Java Version: -
- OpenSearch Version: 2.16.0
- MongoDB Version: 6.0
- Operating System: Ubuntu 24.04
- Browser version:
Checklist
[] This issue fix need to be backported.
[] Does this issue have security implications?