Hello guys,
I have a case about alerting here. so, the condition to trigger this alert is so simple.
there are 3 codes that I watched using this alert which are 68, 40, X5
if code 68 appeared 10 times in 1 minute, then trigger the alert
if code 40 appeared 10 times in 1 minute, then trigger the alert and so on for X5
and I tried to use the elasticsearch query because it needs to point to an index in my cluster and the query looks like this:
"aggs": {
"0": {
"terms": {
"field": "responseCode.keyword",
"order": {
"_count": "desc"
},
"size": 5
}
}
},
"size": 0,
"query": {
"bool": {
"must": [],
"filter": [
{
"bool": {
"should": [
{
"bool": {
"should": [
{
"match": {
"responseCode": "68"
}
}
],
"minimum_should_match": 1
}
},
{
"bool": {
"should": [
{
"match": {
"responseCode": "X5"
}
}
],
"minimum_should_match": 1
}
}
],
"minimum_should_match": 1
}
}
],
"should": [],
"must_not": []
}
}
after I set the threshold and tested the query, I got the sum result from each code. it gives me 18 documents matching the condition. but this "18" was obtained from the sum between code 68 and X5 while the real values are Code 68 has 9 records and Code X5 also has 9 records. if you look at the condition that I mentioned above, this situation should not trigger the alert. but because it sums up each response code record, it triggers the alert.
How can I combine those conditions into 1 rule? because there would be so many rules I need to create if I make 1 condition for 1 rule. is it possible to separate the record of each response code and match them separately too with the threshold?
Thanks
