Based of the 'breach' field we want to send the alert as email. An alert should be triggered for every document containing the 'breach' values as "false" and separate mail should be received for each document.
I am not sure if this is possible with Kibana. Which rule type should I use and is it possible to send alert for individual document, if not what other similar option I can use to solve this problem ?
Thank for the reply,
I can see data in data view. I am only getting alert for first time when I enable my rule, after that when I index another doc it does not send alert, rule status shows its active.
The Elasticsearch query currently only triggers one action per run, so may not be appropriate for you.
I don't think we have a rule-type that would work out-of-the-box for this, but this might work:
create a "filtered alias" of your index that filters out breach: true documents
use index threshold rule type using that alias
"group by" with a field that is unique per document; you will also have to specify the maximum number of groups, as it uses a term agg under the covers
alerts will fire with a context value indicating the unique field per group
Note that index threshold does not de-duplicate docs between runs. So if the rule interval is 5 minutes but "for the last" (look back) is 10 minutes, you'll get dups. That's probably fine, as the dups won't run actions if you use Notify: On status changes (the default).
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
