Alerting on field value change

Elastic Observability Logs
1

I’m currently logging on-change data in ES, and I’m running a latest transform to store the most updated data into a separate index.

I was advised that an ingest pipeline will help me compare any value coming in with the value that is stored in the latest transforms index, and then I can alert when the value has changed.

I have created my ingest pipeline and used the grok processor to pick a field and capture its value, but I don’t know how to compare that value with what is inside the most recent transform index.

Is this possible to do, or should I be taking a different approach?

The goal is to monitor a Boolean field and send an alert every time it changes from true to false.

Thank you.

2

Maybe it’s me, but I find your problem description confusing. Can you share some sample documents, which index is doing what, the transform you are doing, the index pipeline, … ?

3

You want to monitor when it changes from true to false only or every time it changes state, like from false to true as well?

Where this advice to use ingest pipeline came from? It does not make much sense.

If you already have the most recent data on an index created by a transform, you could simple create a Security rule looking into this index.

4

Sorry about the confusing, I’m trying to monitor on-change data when the value for a specific field changes from true to false and when it changes from false to true. The ‘empty’ field is what I want to monitor

Sample data looks like this:

{
  "_index": "latest-card-state",
  "_id": "d0zkoUWm0Csk8ESoqS3yeBZHAAAAAAAA",
  "_version": 16,
  "_source": {
    "parent": "SLOT-1",
    "interface_name": "LM-1",
    "description": "C-Band Enhanced 16xQSFP28",
    "type": "LINECARD",
    "hardware_version": "002",
    "oper_status": "INACTIVE",
    "empty": "true",
    "mfg_name": "abcd",
    "part_no": "abc-def-901",
    "cribl_pipe": "server-gnmi",
    "@timestamp": "2025-11-14T17:09:47.059Z",
    "telegraf_agent": "ws-deployment-6cd88cdd4c-tkd4h-telegraf-agent",
    "name": "vendor",
    "serial_no": "123456",
    "device": "dev1lab.mgt.net",
    "timestamp": 1763140187
  },
  "fields": {
    "@timestamp": [
      "2025-11-14T17:09:47.059Z"
    ]
  }
}
5

The ingest pipeline advice came from one of our Elastic reps :slightly_smiling_face:

So are you saying I should just set up two alerts on the index where the latest data is being saved? One for when the ‘empty’ field reports back false, and the other when it reports back ‘true’.

6

Ok, now I understood, you want to alert when there is a status change, this is a little more complicated than it seems, the security rules would not be enough they would alert on every event when it is true or false.

Not sure where the ingest pipeline fits here, is this ingest pipeline being used in the transform ? What it is doing? It is not clear what it is doing.

7

If I’m understanding correctly, you want to know when a Boolean field’s value changes from version N to version N+1, in the doc’s _version sense, and this should essentially get detected at ingest time ?

8

I agree, I’m not sure why I was advised to use an ingest pipeline to compare incoming documents with what is stored in the transform index. I was not able to find a way to query an index within an ingest pipeline.

I have sent an email to the rep to see if they can clarify how to do it, but now I’m not confident if this is even possible.

9

As far as I know, this is not possible with Ingest Pipelines, there are no processors that would do that.

The main issue to alert on status change like this is that you need to know what was the last status, using a latest transform you only have the latest document.

Maybe using a pivot transform set to keep the last 2 top hits would work as you would have the 2 most recent documents and with that you can create a rule that would trigger based on the count of each value.

10

Hi @mohsin106

Ok my curiosity pulled me into this :slight_smile:

What version Elastic are you on? (Important)

It seems we jumped right into solutioning, prehaps we can spend a couple more minutes understanding the use case.

You have N cards / devices that report Y times a minute/sec with a field empty with a boolean value.

What are the gross values of N and Y (number of devices, period of reporting)

And lets say Alerting runs on a schedule, lets say it runs every 1 minute

What exactly are you looking for?

A) Say empty field goes from true to false are you looking for that least one state change and the last value of that state change?

B) What if in that minute the device goes from true to false to true

C) is that 2 state changes?

D) is that no state change?

E) Do you want to detect flapping? (going back and forth)

Or maybe these devices only report every 5 minutes and then when you look every minute, that is a whole different perspective / approach.

Elastic alerting in general is aggregation-based, but with transforms, ESQL etc there are more techniques to apply than there was just a short time ago

There are a number of techniques that can be used but understanding these details are important. (BTW I could see using Latest with Enrich to compare the Incoming Document with the Last value ... a little complex but I could see that... I would probably use ESQL or something)

Sooooo @mohsin106 What are you actually trying to accomplish...

1 Like
11

Hi @stephenb ,

I am using Elastic version 8.19.2.

I have 8 cards across 2 devices in my lab. I’m working with on-change data, so the data will only flow in when the value for the empty field changes state from false to true and vice versa.

I would like to set up an alert that checks the latest value of the empty field and alert if it has changed. I would love to capture flapping if possible.

Yes

Yes, would like to capture a flap.

Yes, that would be two state changes.

No, it is definitely a state change

.Yes

The empty filed is an on-change only field, and the device will only send data when the value for that field changes. This is why I think the latest transform is useful here because it will update the timestamp of the last state change. I can schedule an alert to run every minute to check for any state changes in the last 5 minutes and alert on it.

I would like to explore this option if it will work in my case here.

1 Like
12

Well, I think that this changes everything, if you will only receive data from the device or will only have this field when the value changes, then a simple rule looking for the exsistence of this field would be enough.

2 Likes
13

Are you sure thats what you meant to write? If it is, and “send data” means “a document will be indexed into elasticsearch”, then all you need is an alert whenever a document is indexed.

You keep using this expressions “on-change only”. There is not an elasticsearch concept. I could try to guess what you mean, but why should I guess? Similarly does “send data” mean a doc will be indexed, or will an existing document possibly be updated?

Rule of thumb - if you are asked multiple times by multiple people to better describe the problem, you have possibly not done the greatest job at explaining the problem! The whole thread has been a lesson in the costs of not being clear. You probably have an interesting problem, but it’s too painful to work out what your actual problem is.