Alerts/Rules - Elasticsearch query grouped on hostname

Garry · November 25, 2021, 9:03am

I have an Elasticsearch query which emails out on an specific Windows Event Log event id.
This is a basic query...
{
"query":{
"query_string" : {
"query" : "10028",
"fields": ["event.code"]

}
}

}

What I would like to do is

Group alerts on host.name. So a separate alert for each host meeting this criteria.
Include the hostname in the emails.

Is an Elasticsearch query the best way to configure this?
Any ideas?

system · December 23, 2021, 9:03am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Alert on Windows event id to be grouped by and include hostname Kibana	2	320	December 30, 2021
Rules and connectors examples? Kibana elastic-stack-alerting	2	1743	November 4, 2021
Little help understanding a document query issue Elasticsearch elastic-stack-security , fleet	1	128	January 30, 2024
Kibana Email Alert Kibana elastic-stack-alerting	8	3416	July 1, 2022
Creating an Elasticsearch Alert Email Connector containing "winlog.event_data.TargetUserName"? Metrics elastic-stack-alerting	1	314	August 9, 2023

Alerts/Rules - Elasticsearch query grouped on hostname

Related Topics