How do I cater for scenario in which an alert will be sent out when a source IP has appeared within a period of time for more than X number of time.
Hey,
you could aggregate using a date histogram specifying your interval and a terms aggregation using min_doc_count. It highly depends on your document modeling, so showing an example would be useful.
--Alex
Is there any update on this? Please share with a sample