Creating alerts in Kibana for a specific query

Elastic Stack Kibana
1

Hi,

I am struggling with creating an alert on Kibana. I have the license and have Slack notification connected. I have logs coming in from a HIDS and from those logs, which has logs for many different kind of activities, I only need to extract information regarding any new file created. I am assuming here that I will be using a 'Metric Threshold' alerting here to trigger an alert if the alert mechanism detects a log for any new file created in let's say, past 5 minutes.

How can I create an alert for that because in the 'Metric Threshold' settings option I don't see an option to put in a query that can help the mechanism to extract only the new file added logs from the entire set.

I saw a filter option where I can add in KQL, but I don't know how to add the index value in KQL because again, in setting I don't find an option for select index.

Kibana: 7.7.1

Please help

Thanks
Vish

2

So if I understood correctly, you need to use the Log Threshold. To be able to see the fields from your index, make sure it is included in the Logs application settings.

3

Hi,

Thank you @admlko for your reply. Where can I setup log threshold alerting cause the one I have only show index and metric threshold.

Screen Shot 2020-10-02 at 9.36.50 AM
Screen Shot 2020-10-02 at 9.36.50 AM620×955 20.6 KB

-- Vish

4

Sorry but I think you have to update.
I cannot seem to find it quickly which version introduced the feature, but at least the latest has it :slight_smile:

5

Kibana v7.x

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.