Combine a few rules into 1 rule

yuswanul · March 28, 2024, 9:27am

Hello guys,

I have a case about alerting here. so, the condition to trigger this alert is so simple.
there are 3 codes that I watched using this alert which are 68, 40, X5
if code 68 appeared 10 times in 1 minute, then trigger the alert
if code 40 appeared 10 times in 1 minute, then trigger the alert and so on for X5

and I tried to use the elasticsearch query because it needs to point to an index in my cluster and the query looks like this:

"aggs": {
    "0": {
      "terms": {
        "field": "responseCode.keyword",
        "order": {
          "_count": "desc"
        },
        "size": 5
      }
    }
  },
  "size": 0,
"query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "bool": {
            "should": [
              {
                "bool": {
                  "should": [
                    {
                      "match": {
                        "responseCode": "68"
                      }
                    }
                  ],
                  "minimum_should_match": 1
                }
              },
              {
                "bool": {
                  "should": [
                    {
                      "match": {
                        "responseCode": "X5"
                      }
                    }
                  ],
                  "minimum_should_match": 1
                }
              }
            ],
            "minimum_should_match": 1
          }
        }
      ],
      "should": [],
      "must_not": []
    }
  }

after I set the threshold and tested the query, I got the sum result from each code. it gives me 18 documents matching the condition. but this "18" was obtained from the sum between code 68 and X5 while the real values are Code 68 has 9 records and Code X5 also has 9 records. if you look at the condition that I mentioned above, this situation should not trigger the alert. but because it sums up each response code record, it triggers the alert.

How can I combine those conditions into 1 rule? because there would be so many rules I need to create if I make 1 condition for 1 rule. is it possible to separate the record of each response code and match them separately too with the threshold?

Thanks

richcollier · March 28, 2024, 2:58pm

well certainly you can accomplish this pretty easily in ES|QL (requires latest version)

Here's an example:

from kibana_sample_data_logs
| stats r404=count(response.keyword == "404" or NULL), r503=count(response.keyword == "503" or NULL) 
| where r404 > 500 or r503 > 800

Then build an alert off of this (Alert menu at top right)

yuswanul · March 28, 2024, 3:45pm

So based on your example, the only thing that triggered from the alert is r404?

Pada Kam, 28 Mar 2024 22.08, rich collier via Discuss the Elastic Stack <notifications@elastic.discoursemail.com> menulis:

richcollier · March 28, 2024, 4:17pm

correct

richcollier · March 28, 2024, 5:57pm

Are you planning to use Kibana Alerts or Watcher?

yuswanul · March 28, 2024, 10:29pm

Kibana alert, actually

Pada Jum, 29 Mar 2024 01.07, rich collier via Discuss the Elastic Stack <notifications@elastic.discoursemail.com> menulis:

system · April 25, 2024, 10:30pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Alerting - Search Threshold/ES Query Rule Kibana	6	291	April 5, 2024
Define Multiple Conditions in an Alert Kibana elastic-stack-alerting	2	490	February 6, 2023
Kibana alerting mechanism Kibana	2	260	August 12, 2022
Create a Kibana Rule Kibana painless , kql-kibana-query-language , detection-rules , kibana-plugin-development , eql-elastic-query-language	3	285	December 28, 2023
Alert query for multiple indexes Elasticsearch elastic-stack-alerting	2	1081	May 20, 2020

Combine a few rules into 1 rule

Related topics