we are monitoring Infrastructure (around 5000 servers) using different monitoring tools(around 5 tools). Whenever any server goes down, all monitoring tools generate an events and send an email. So approximately if server A is down, 5 events ( and converted to emails) from monitoring tools (one event from each tool). And same thing for server B ( one event from each monitoring tool hence 5 events for server B). Instead of sending 5 notifications (events) on same device, we want to send only one event (via email) out of 5 events from one device. Means if server A and Server B are down, tools generate 5 event on server A and 5 events on Server B. we want to send one event on server A and other event on Server B. we are able to load the events (here 10 events) to elastic search. By which alert rule/configuration do we need to use to generate two emails (one for server A and other one for Server B) in elastalert?
Note: we are using last 10 min time period.
Thanks,
Sudhakar