Create a Kibana Rule

Kibana: version 7.17.3

I am trying to create a Rule in Kibana Alerts and Insights, but I'm having some difficults.
To contextualize:
1- I want to calculate the total of documents in last 5 minutes
2- Calculate the number of documents with response_code field > 400
3- Alert should be activated when the number of documents with response_code field > 400 is above 2% of total documents

What I have for now:

image586×642 28.9 KB

My query is:

{
  "aggs": {
    "total_requests": {
      "value_count": {
        "field": "id_request"
      }
    },
    "errors": {
      "filter": {
        "range": {
          "response_code": {
              "gte": 400,
              "lt": 500
          }
        }
      },
      "aggs": {
        "total_errors": {
          "value_count": {
            "field": "id_request"
          }
        }
      }
    }
  },
  "script_fields": {
    "percentual_errors": {
      "script": {
        "source": "params._source['errors.total_errors'] / params._source['total_requests.value']",
        "lang": "painless"
      }
    }
  },
  "query": {
    "match_all": {}
  },
  "post_filter": {
    "script": {
      "script": {
        "source": "params.percentual_errors > 0.02",
        "lang": "painless"
      }
    }
  }
}

My problem is that kibana is expecting that I select an number of documents that should match, but I only want to activate the query when the condition is true.

As you are on 7.17 the ratio threshold rule might provide a solution to you.

You could use query a to be one with the 400 response code. Query b the total and configure the ratio to be more then 0.2:

@sholzhauer Thank you so much for your help.

Actually I already have looked to this type of rule but my fields are empty, maybe I need some extra configuration for these. Can you give me more details?

image600×513 22.9 KB

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.