Alerting - OR condition in Log threshold rule type

We are currently migrating from the 3.party Elastalert package for alerting on data in Elasticsearch to the native Kibana Alerting capabilities. On that path we have come across the issue that it does not seem possible to have OR conditions in the log threshold rule type. Any workaround to achieve this ?

An example of an Elastalert query we would like to bring into the native platform would be "(message: busy AND message: "5:011") OR (message: status AND message: "6:091") OR (message: Status AND message:"Terminal Offline")"

The short answer is yes. Create the search in Discover and then click Alerts to create a "Search Threshold Rule"

2 Likes