Hello everyone,
I have a strange problem with elastic rules.
As you can see from the rule, I'm trying to trigger an alert every time a user misses a login twice (it's just a test).
The preview of the rule works only if the id is specified as text and not as .keyword (but if you see the image I can't save the rule anyway if I don't specify the keyword, the label is red),
if keyword goes wrong.
But in my index, as you can see from the data view, the .keyword field is populated correctly.
Can you please help me out? Thank you very much.
Happy Christmas days to all.