Create alert per multiple fields

Sergi · July 27, 2020, 7:59am

Hi,

Currently, when creating an alert, we can set up for example the next scenario:

When avg system.cpu.total.pct is above 90% for the last 1 minute.

Okey...It will affect to all the hosts which matches this query, that's the reason we use: Create alert per agent.hostname.

So finally, we will receive an alert for each host and even with the hostname in the message body.

So now, let's imagine the next scenario:

We want to monitor the filesystem by mount point of each node. So we would create something like this:

The problem is that now, when we receive the message body, we won't know from what host belongs the mount point. So we will need to look for it manually. Is there some approach to Create alert per more than one fields? For example, in this case, to create alert per mount point and agent hostname.

Something interesting would be to be able to select some values from the query as variable. For example:

    {{alertName}} - {{context.group}} is in a state of {{context.alertState}} in {{agent.hostname}}

    Reason:
    {{context.reason}}

Zacqary · July 28, 2020, 3:18pm

As of Kibana 7.8 you should be able to add multiple values to Create alert per:

Does that work for you?

Sergi · July 29, 2020, 6:10am

Hi,

Thanks for your reply. It would work fine for me. The point is that I have Kibana 7.8 already.

  "name" : "xxxx",
  "cluster_name" : "xxxx",
  "cluster_uuid" : "xxx",
  "version" : {
    "number" : "7.8.0",
    "build_flavor" : "default",
    "build_type" : "rpm",
    "build_hash" : "757314695644ea9a1dc2fecd26d1a43856725e65",
    "build_date" : "2020-06-14T19:35:50.234439Z",
    "build_snapshot" : false,
    "lucene_version" : "8.5.1",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

On the other hand, I just can select one value in Create alert per:

How is that? Could you please help me? Thanks in advance.

Sergi · July 31, 2020, 9:14am

Hi, just for adding more information.

I tried with the latest version of Kibana (7.8.1) as well. Exactly the same behavior. I installed from the official repository which uses RPM packages. I am using red hat 7.8.

Seriously I am the only one I can not create alerts per multiple fields?

kibit86 · August 26, 2020, 5:33pm

I am having the same issue.
Is there a way to enable multi field alerts?

Sergi · August 26, 2020, 7:59pm

Hello @kibit86,

What version are you using? I didn't try it yet, but it is supposed to be officially supported from 7.9. As releases notes says.

https://www.elastic.co/guide/en/kibana/7.9/release-notes-7.9.0.html (Metrics section, first line)
https://github.com/elastic/kibana/pull/66503

system · September 23, 2020, 7:59pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Kibana Alert to ServiceNow Kibana elastic-stack-alerting	2	404	October 26, 2020
Kibana Alert Index Threshold and Log Threshold Host.ip Fields Kibana elastic-stack-alerting	5	330	April 13, 2023
Kibana alert type Metric threshold add fields index to body Email Kibana	2	439	October 4, 2022
Kibana Alert variable declaration Kibana elastic-stack-monitoring , elastic-stack-alerting	5	399	August 16, 2022
Need help with creating Kibana Alert Elasticsearch elastic-stack-alerting , elastic-stack-sql	9	1532	May 17, 2021

Create alert per multiple fields

Related topics