Create an alert based on contradicting logs


I am trying to figure out alerts, and if Kibana is the best place to setup these alerts, or if it'd be better for me to write a program that queries elastic search instead.

I'm in a situation where I log tuples of the form (a, b, c, e) and want to make sure that when a, b, and c are the same, then e is the same. In other words, there shouldn't be any (a, b, c, e) and (a, b, c, e') for e != e'

I think this could be achieved using the conditions in Kibana alerting feature.

But am going to tag @Patrick_Mueller for more detailed answer .


I'm not quite sure of that. I don't think the Index threshold alert can do this, as it doesn't have any special filtering capabilities yet. It's possible the Log or Metric alerts could do this, as they do have filtering, but I'm not sure they can filter based on the suggested constraint.

We do have a feature enhancement issue open to create a more open-ended "search" alert that would presumably allow for the suggested constraint. Feel free to add this example as a use case, @mimoo -

Beyond that, I've often wondered whether creating an elasticsearch alias with a filter would be an acceptable way to handle this, today. The idea is that you create an alias of the indices you want to query on, and add a filter to that, so when querying the index via the alias, you would only see the documents which match the constraint. The alert could then be an index threshold looking for count > 0.

For more info on filtered aliases, see

thanks for the responses! I've tried aggregating all the fields (a, b, c) together instead using nested aggregation, and then counting the number of fields e I get, but no luck so far. I'll try the alias way, not sure I understand what I need to do though.

BTW, what would be another acceptable way to build alerts on top of that data? Writing a script that queries elastic search periodically and handles the heavier logic?

Good question, that I don't have an answer for. I'm not sure any of the solution-oriented alerts (ie, observability and security alerts) are abstract enough to do this directly.

One approach would be to create a job which looks through the data, and writes the matches you are looking for to a separate index; presumably the index would store a, ,b, c, e and e', so you can see all the values. Then use the index threshold alert with a count aggregation, looking for those documents in the separate index.

You might want to look into EQL as a way to search for those matches. Not sure if it can do what you need, but it does have a concept of letting you match a sequence of events. We don't yet have a generic alert that would allow you to use EQL, but I'd be interested in finding out if EQL worked out for you for this case, and so potentially an alert that used EQL might be a useful thing to have. I suspect we will eventually have an alert that supports EQL.

I'd also post the question about your query up at the ElasticSearch topic - there is likely someone there who knows more about building queries like this.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.