Hi All,
(Elasticsearch & Kibana 7.17.2)
I'm trying to create an Elasticsearch query rule in Kibana observability which group bys a concept. I have the following rule configured:
Index: synthetics-*
Size: 100
{
"aggs": {
"0": {
"terms": {
"field": "url.domain",
"order": {
"_count": "desc"
},
"size": 25
}
}
},
"query": {
"bool": {
"filter": [
{
"match_phrase": {
"data_stream.dataset": "tcp"
}
},
{
"match_phrase": {
"tags": "_dns_reverse_lookup_failed"
}
},
{
"match_phrase": {
"tags": "dnsrpz"
}
}
]
}
}
}
Is Above: 5
For the Last: 5 Minutes
The issue I'm running into is that I can't figure out how to actually access the grouped by values in an Action.
I tried:
Elasticsearch query alert '{{alertName}}' is active:
- Value: {{context.value}}
- Conditions Met: {{context.conditions}} over {{params.timeWindowSize}}{{params.timeWindowUnit}}
- Timestamp: {{context.date}}
{{#context.hits}}
{{_source.url.domain}}
{{/context.hits}}
{{#context.aggregations.0.buckets}}
{{key}}
{{doc_count}}
{{/context.aggregations.0.buckets}}
While the {{#context.hits}} section is populated, the {{#context.aggregations.0.buckets}} section is blank.
Would anyone know how to achieve this?
The agg output looks something like:
"aggregations": {
"0": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"key": "192.168.1.1",
"doc_count": 179
},
{
"key": "192.168.1.2",
"doc_count": 179
}
]
}
}
And this is really what I want to use for the alert, not the actual hits.
Note: I tried using the Log Threshold rule:
But this rule takes far too long to execute (~10 - 20 seconds!), where the Elasticsearch query takes (~100ms - 1 second).
So, I don't think the Log Threshold rule is the correct rule for this use case.