Create and alert based on a GROUP BY

Hi Community,

I have a system that logs a JSON object containing a user_id field into a document, and I need to create an alert that notifies me if a user makes more than a certain number of accesses within a certain time frame. I tried creating a log threshold alert, but I don't have access to the fields of the message. Alternatively, if I try to create an alert with KQL query, I don't have access to the group by function. Any advice on how to solve this?

Hi Matteo, Welcome to the Elastic communtiy.

1. May I know what kind of access you have currently ?
2. You can refer log threshold alert to set the same but it required count and group by command.

Hi,
thanks for your quick response.
I am currently an "organization owner" on the ELK deployment. I red those docs this morning, still, I didn't understand how to access the fields of the json object (e.g. how to do message.used_id IS sth)

You can access nested field using dot(.) only. Could you please share your sample json document? and on which field you want to perform count ?

Sure,
The structure of the "message" is:
{
"AuthenticationSuccess": {
"status": 200,
"user_id": "test_user",
"message": "OK",
"source": "portal"
}
}
What I need to do is acces the user_id field from the following alert section

but even using dot(.) I cannot access it.
What I am trying to achieve is raise an alert if a user tries to login too many times in a certain time frame (so I am trying to group by user and then count and raise the alert)

This is an example of the log in the "Discovery" section

As far I understand, You should access like this AuthenticationSuccess.user_id. Why you trying to access from message field?

I am assuming you have shared json doc structure.

Yes, my bad.
Still, it doesn't find the field

I tried with "message.AuthenticationSuccess.user_id" as well

Quick update: I did manage to solve my issue by using the "Alerts" section under "Security" instead of using the one in "Stack management"