i am using ES Cloud 7.15.1
i am getting log data from my website .
now i want to write alert for that data ,
for example if status code =500 and error = xyz , send the email .
i trying using alert from security section but when i creating the rule for my index its not returning any result , its always say 0 hit .
but we have data for that filter in discover section.
any suggestion on this ?
When I try creating a rule in Security I'm getting the same results as you. I expect a hit on my query but get 0 hits.
We might need more info on your exact rule, but I think there are different options for rules under Security than there are under Stack Management > Rules. You might need to use the rules in this section;
Here you can pick
Elasticsearch query type;
In this case, I Test query and get my expected 1 document matched.
I'll try to figure out why the same test in the security rules doesn't work, but hopefully this can get you going.
Tip: I did my query in Discover and then used the Inspect menu to look at the request. You really don't need or want the entire request but it's a starting point if you don't know exactly how to write the query.
thanks for your input ,
i able to create rule and connectors , but now problem is my rule only trigger 1 time when i disable and enable the rule , after that its not triggering . please help me on this .
this is my setting -
my connector setting -
Please suggest me what setting is wrong .
It sounds like you're running into the built-in de-duplication of matches that occurs in the Elasticsearch query rule type. Documentation here: Elasticsearch query | Kibana Guide [master] | Elastic
To avoid this, you should set your window size the same as your "Check every" interval. Currently you are checking every minute for the last 5 days, which means you will run across the same matches in every rule run, but they will be de-duplicated. Can you set your rule to check every minute over the last minute?
thanks for clarification , its working as expected .
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.