Hi,
Currently I am ingesting log files from two radius servers.
Setup of filebeat to ingest the logs is currently managed by Fleet - with the log file integration.
The log files are passed through a pipeline and then stored within a a datastream. All the above is working as expected and I am able to browse the logs with no issues.
Now I would like to apply a Log Threshold alert that will monitor the datastream and send an alert should the number of logs ingested from either radius-A or radius-B drop below a specific threshold with in a minute. i.e. less than 10 loglines in the past minute.
I seem to be able to create the logic for the alert fairly easily however it applies to all monitoring hosts as I am currently monitoring logs from other servers as well (not only radius-A and radius-B).
I have attempted to achieve the above by using the group by field but after further investigation in the documentation it seems that is not the intend purpose for the function.
Any assistance with the above would be greatly appreciated - let me know if anything is unclear or needs better explanation.
Thanks in advanced
Rapture