Combine a few rules into 1 rule

Hello guys,

I have a case about alerting here. so, the condition to trigger this alert is so simple.
there are 3 codes that I watched using this alert which are 68, 40, X5
if code 68 appeared 10 times in 1 minute, then trigger the alert
if code 40 appeared 10 times in 1 minute, then trigger the alert and so on for X5

and I tried to use the elasticsearch query because it needs to point to an index in my cluster and the query looks like this:

"aggs": {
    "0": {
      "terms": {
        "field": "responseCode.keyword",
        "order": {
          "_count": "desc"
        },
        "size": 5
      }
    }
  },
  "size": 0,
"query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "bool": {
            "should": [
              {
                "bool": {
                  "should": [
                    {
                      "match": {
                        "responseCode": "68"
                      }
                    }
                  ],
                  "minimum_should_match": 1
                }
              },
              {
                "bool": {
                  "should": [
                    {
                      "match": {
                        "responseCode": "X5"
                      }
                    }
                  ],
                  "minimum_should_match": 1
                }
              }
            ],
            "minimum_should_match": 1
          }
        }
      ],
      "should": [],
      "must_not": []
    }
  }

after I set the threshold and tested the query, I got the sum result from each code. it gives me 18 documents matching the condition. but this "18" was obtained from the sum between code 68 and X5 while the real values are Code 68 has 9 records and Code X5 also has 9 records. if you look at the condition that I mentioned above, this situation should not trigger the alert. but because it sums up each response code record, it triggers the alert.

How can I combine those conditions into 1 rule? because there would be so many rules I need to create if I make 1 condition for 1 rule. is it possible to separate the record of each response code and match them separately too with the threshold?

Thanks

well certainly you can accomplish this pretty easily in ES|QL (requires latest version)

Here's an example:

from kibana_sample_data_logs
| stats r404=count(response.keyword == "404" or NULL), r503=count(response.keyword == "503" or NULL) 
| where r404 > 500 or r503 > 800

Then build an alert off of this (Alert menu at top right)

1 Like

So based on your example, the only thing that triggered from the alert is r404?

Pada Kam, 28 Mar 2024 22.08, rich collier via Discuss the Elastic Stack <notifications@elastic.discoursemail.com> menulis:

correct

Are you planning to use Kibana Alerts or Watcher?

Kibana alert, actually

Pada Jum, 29 Mar 2024 01.07, rich collier via Discuss the Elastic Stack <notifications@elastic.discoursemail.com> menulis: