I'm working on some alerting functionality that I'd like some help with. The end goal is to return the count and field to our email connector that is the result of a query with aggregations/filters.
In SQL, it would be something like:
SELECT field2, count(*) FROM index WHERE field1 = something GROUP BY field2
To output a table like:
Field 2 | count
XX | 42
YY | 2
ZZ | 16
The index aggregation alert allows me to run most of the functionality, but I can't filter by fields.
I feel like I need to go in more depth into a query alert, with a custom query that combines the filters/aggregations.
From there, I want to be able to return the value of the aggregation query to my alert which then sends off using an email connector. Which variable in the list of assigned <<>> values would support this?
yes, the index threshold rule type does not yet support filters; in theory you could create a filtered alias to do that filtering, then use that alias with the rule.
The elasticsearch query rule is the other "generic" rule type, but does not yet support aggregations, so I don't think you can use that one either.
You might want to look at the Log Threshold or Metrics Threshold rule. The index patterns used for those rules are set in per-Kibana settings in the Observability solution pages in Kibana. I believe those indices may need to be ECS compatible as well, but it's possible that could be managed via field aliases, constant_keyword fields, etc ... Here's the doc for the metrics threshold index settings: Configure settings | Observability Guide [8.3] | Elastic
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.