Based of the 'breach' field we want to send the alert as email. An alert should be triggered for every document containing the 'breach' values as "false" and separate mail should be received for each document.
I am not sure if this is possible with Kibana. Which rule type should I use and is it possible to send alert for individual document, if not what other similar option I can use to solve this problem ?
Thank for the reply,
I can see data in data view. I am only getting alert for first time when I enable my rule, after that when I index another doc it does not send alert, rule status shows its active.
"group by" with a field that is unique per document; you will also have to specify the maximum number of groups, as it uses a term agg under the covers
alerts will fire with a context value indicating the unique field per group
Note that index threshold does not de-duplicate docs between runs. So if the rule interval is 5 minutes but "for the last" (look back) is 10 minutes, you'll get dups. That's probably fine, as the dups won't run actions if you use Notify: On status changes (the default).