I have a system that logs a JSON object containing a user_id field into a document, and I need to create an alert that notifies me if a user makes more than a certain number of accesses within a certain time frame. I tried creating a log threshold alert, but I don't have access to the fields of the message. Alternatively, if I try to create an alert with KQL query, I don't have access to the group by function. Any advice on how to solve this?
Hi,
thanks for your quick response.
I am currently an "organization owner" on the ELK deployment. I red those docs this morning, still, I didn't understand how to access the fields of the json object (e.g. how to do message.used_id IS sth)
Sure,
The structure of the "message" is:
{
"AuthenticationSuccess": {
"status": 200,
"user_id": "test_user",
"message": "OK",
"source": "portal"
}
}
What I need to do is acces the user_id field from the following alert section
but even using dot(.) I cannot access it.
What I am trying to achieve is raise an alert if a user tries to login too many times in a certain time frame (so I am trying to group by user and then count and raise the alert)
I'm running into the same issue - many fields are missing from the Grouped Over menu options in Alerts.
The one in particular that I would like to use is cluster_name. It is not nested, and is mapped statically in the index template. Every event has this field in it, and yet
As I do not have the appropriate license to use the Security alert feature, I can't use that solution.
Any idea why are some fields not available to group by...?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.