I want to configure an alert rule for device logs. The alarm logs coming from the device consists of pairs. There is a “activate” and “cleared” log message. Is it possible to set up rule so that the alert keeps firing until a “cleared” log arrives?
I think it should be. You can count the number of active and the number of cleared messages in given window and fire if active is more than 0 and cleared is equal to 0 (you can compare those two in Math expression). Unless you meant “at least one cleared after the active message” (never mind there was a cleared message before active), then I’m not quite sure 