Why same alert is triggering multiple times

Telegraf
1

Hi All,
Could you suggest me why same alert is triggering multiple times .
Here is my tick file :
// This Script will trigger alert for Oracle log level ORA-.
var ErrorMessageToBeIgnored1 = ‘This is an example Error message to be ignore for the alert.’

// We can declare ‘n’ number of variables to be ignored while alerting for ORA- level.
var db = ‘server_logs’

var rp = ‘autogen’

var measurement = ‘oracle_logs’

var groupBy = [‘host’, ‘alert’]

var whereFilter = lambda: TRUE

var name = ‘Oracle_ServerLog-Linux-Threshold-LogLevel’

var idVar = name

var message = ‘FTAIM: Oracle Server Level alert reports {{.Level}} with value: {{ index .Fields “value” }} on host: {{index .Tags “host”}}.’

var idTag = ‘alertID’

var levelTag = ‘level’

var messageField = ‘message’

var durationField = ‘duration’

var outputDB = ‘alerting’

var outputRP = ‘autogen’

var outputMeasurement = ‘alerts’

var triggerType = ‘threshold’

var crit = ‘ORA-’

// Below we are implemented that body text of Email, which is adopted by .details() method at trigger in alert node.
var emailbody = ‘’‘{{ if eq .Level “CRITICAL” }}

Dear Administration Team,


FT Application Infrastructure Monitoring has detected an issue on a monitored system.

Please open the Dataview Application to diagnose the issue.

Error message: {{ index .Fields “value” }} {{ index .Fields “alertmessage” }}

Host:{{ index .Tags “host” }}


Please take required actions immediately.

This email was automatically sent by FT Application Infrastructure Monitoring.

{{end}} ‘’’

var data = stream
|from()
.database(db)
.retentionPolicy(rp)
.measurement(measurement)
.groupBy(groupBy)
.where(whereFilter)
// Below we are providing the alias names to adopt in this script.
// Example Inside the HTML Tags at Error message place & Host place.
|eval(lambda: “alert”, lambda: “alertdescription”)
.as(‘value’, ‘alertmessage’)
.keep()
.quiet()
|log()

var trigger = data
// Below we are implementing the DefaultErrorList of messages to be Ignored while alerting.
|where(lambda: !strContains(“alertmessage”, ErrorMessageToBeIgnored1))
|where(lambda: strContains(“value”, crit))
|alert()
// Below .crit() we are declaring ORA- as a CRITICAL to alert.
.crit(lambda: TRUE)
.message(message)
.details(emailbody)
.id(idVar)
.idTag(idTag)
.levelTag(levelTag)
.messageField(messageField)
.durationField(durationField)
// .topic(‘database_group’)
.email()
.to(‘SKumarB@ra.rockwell.com’)
.to(‘SS4@ra.rockwell.com’)
|log()

trigger
|eval(lambda: strContains(“value”, crit))
.as(‘value’)
.keep()
.quiet()
|influxDBOut()
.create()
.database(outputDB)
.retentionPolicy(outputRP)
.measurement(outputMeasurement)
.tag(‘alertName’, name)
.tag(‘triggerType’, triggerType)

2

Hello @Susil,
Could StateChangesOnly(), which only sends events where the state changed, be useful to you?

3

By using StateChangesOnly() It is showing same problem.
Could you suggest me any other way.

4

Hey @Susil can we get the output of kapacitor show <task> I’m curious to see the output from it. In particular, my initial hunch is that we’re having multiple series trigger distinct alerts.

5

Hi Michael,
I got the solution.
Thanks