Hello Sensu Community!
I hope my topic was clear, but to re-iterate:
I’m trying to create a filter that will allow me to say “don’t handle warning events until there are 5 or more occurrences, but handle critical event statuses immediately.”
I tried a filter like this:
{
"filters": {
"ls_es_cluster_warnings": {
"negate": false,
"attributes": {
"check": {
"status": 1,
"name": "eval: value == 'logstash_es_cluster_status_check_aggregate_check'"
},
"occurrences": "eval: value == 5 || (:::check.interval::: * value) % 3600 == 0"
}
}
}
}
The name of the check is logstash_es_cluster_status_check_aggregate_check
I’m trying to catch "status": 1 (warning) events from being handled immediately, and to wait for 5 of them before triggering the handler, but also re-alert each hour: (:::check.interval::: * value) % 3600 == 0
I have no idea how to debug this. It’s still currently handling all events, so I must be doing something wrong 
Thanks!