Alert on SUM of field exeeding certain value?

spinscale · June 8, 2017, 7:49am

Hey,

this sounds possible to me. The important part here is to write a proper search query (independent from the watch). The search query needs to do the following

have a range filter in your query that filters from the first of the month until now
have a term filter in your query (or a match query), that filters for the host you are interested in
have a sum aggregation in your request, that counts up your bytes (use the sum aggregation

Now you got the correct data (a single aggregation response returning a number), which you can use in the watcher condition to check if it exceeds a threshold.

If it does, send an email - where you can include this exact data.

One last thing: If the IP is dynamic, you could just have an aggregation for the ip address, and then calculate the sum for each IP.

Hope this helps.

--Alex

Topic		Replies	Views
Watcher elastic query Kibana elastic-stack-alerting	5	294	July 19, 2021
Watcher logic help Elasticsearch elastic-stack-alerting	1	263	March 24, 2021
How to write the watcher condition & trigger rule Elasticsearch elastic-stack-alerting	5	4218	July 6, 2017
Help with watcher alert configuration in Kibana Elasticsearch elastic-stack-alerting	8	2145	May 1, 2019
X-pack watcher: Compare alerts from yesterday Elasticsearch	8	1036	November 21, 2017

Alert on SUM of field exeeding certain value?

Related topics