Is it possible to create either an alert or a watcher, that is based off the count of a specific field.
I currently have application logs that ingest into elasticsearch. I then have a timelion graph that graphs the count of the field 'message_code:200'. This is good to see visual changes, but requires someone to visually see it.
Based off this, I want to create an email alert that notifies me if the count reaches over a certain threshold (eg: 500 count).
This seems pretty simple but I can't seem to find which Alert i should use. An index Threshold seems the way to go, but I can't pick a specific field to count on.
Make sure the index or index pattern you want to create an alert is in Log Indices, if not add it. This will do 2 things enable those logs to show up in the Log streaming view, log categorization etc and it will allow you to create a Log Threshold alert based on it.
Once that index / index pattern is added make sure to save at the bottom.
Then you can use the Create Alert pull down at the top right (or you could navigate to the Alert Manager) and create and alert. You can add multiple conditions if you like. Here is a screen shot that should be pretty close to what you are looking for.
I was trying this under a new space and forgot to add the indices to the log part for that space.
Looks like alerts are created and stored per space, and they can't be exported.
Is there a best practice on how users should be managing their alerts? My company just got gold licensing, and I am tasked with setting all our alerts up .
@bevano Glad we got that sorted and welcome aboard as a customer!
Best practices for your org... that's a big topic
The new Kibana alerting framework is still evolving, and Import / Export, Sharing and an API to CRUD alerts are on the roadmap but still a ways out. (We don't publish roadmap dates etc).
What I have seen is a space that has the common alerts that everyone needs like infra metrics System Load, Disk usage etc... etc... perhaps even some common log alerts...
And then more specific Alerts in each "BU / Group's" space
That said it depends a lot on your use cases and org. BU Oriented ... Dev and Ops oriented ... both.
Also make sure you check out the Log Categorization and Classification Apps those can be very insightful.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
.