I'm relatively new to elastic, and I have a plethora of systems (windows) that all have unique monitoring requirements for processes with some overlap. We are running version 7.16.2. I can make alerts on a condition WHEN document count IS BELOW 1 filtered on (KQL) process.name: "x.exe" and host.name: "x"
What I am wondering is if there is a way to only alert if there was a document count before (say in the past 48-72 hours) but failed in the past minute?
We also have some processes that require multiple copies of the process to be running. Is there a way to alert if the total number of process X is at a value and alert if it deviates from that value?
It seems I can't stack timing conditions in the alert. Being able to do this would save me from making hundreds of unique and overlapping alerts.
Thanks!