I have a log file template with two rules. One rule to generate a critical alert and another rule to solve the critical message when it works again, generating a normal event with key and close event with key.
Rules generate alerts correctly and works fine but the normal rule is generated continuously with closed state generating a big number of closed messages. I have tried to create an event supression on normal rule but I think only aplies on open alerts. Is it possible?
How can avoid generate continuous normal messages in closed state but maintaining normal rule to solve any critical alert when a problem is solved?