Hi. I am trying to understand how to limit the number of notifications that I receive from Crowdsec. I want to continue to ban IPs but I only want to receive a notification for clusters of alerts. I am looking at the group_wait and group_threshold settings but I don’t understand how they interact. Is the notification only sent when the group_threshold is exceeded within the group_wait period? For example, more than 10 alerts in 30 seconds. Or are they both independent? Can anyone give me any hints?
The first met condition actually triggers the notification. For example you can set a group_wait at 30m and a group_thrshold at 10, and you’ll get either notification every 30m or get a bunch of 10 notification if that threshold is met. You can even set your group_threshold to 0 to have notifications every 30m.
