ELK 8.x Unable to create "Log threshold" Alert Rule for new Index - "There aren't any options available"

Hello Guys,

• Fresh install of ELK 8.x
• New index syslog-* created via logstash

Logstash config:

input {
  tcp {
    port => 5000
    type => syslog
    mode => "server"
    ssl_enable => true
    ssl_verify => false
    ssl_cert => "/etc/logstash/ssl/logstash.crt"
    ssl_key => "/etc/logstash/ssl/logstash.key"
  }
}

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "ip", "%{[@metadata][input][tcp][source][ip]}" ]
    }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

output {
  elasticsearch {
    hosts => ["https://localhost:9200"]
    user => "logstash_internal"
    password => "password"
    ssl => true
    ssl_certificate_verification => false
    index => "logs-%{+YYYY.MM.dd}"
  }
  file {
    path => "/log/%{+YYYY.MM.dd}/%{syslog_hostname}/%{syslog_hostname}-%{ip}.gzip"
    gzip => true
  }

}

Logstash user role:

image1215×669 45.7 KB

Kibana rule creation issue:

image570×610 31.7 KB

Data view:

image1801×823 61.5 KB

• However when I setup Logstash output to default kibana "Data view" - logs-* then I'm able to create Alert Rule.

Am I missing something?
Please help!

Hi @Cezary Welcome to the community!

So the Logs Threshold is Aligned with the Logs viewer / Streaming etc...

Pretty Sure you need to add your index pattern to the logs settings comma separated no spaces for the alerts to work the way you want

Or you can add it as a data view (but you can only add 1 data view)

Screen Shot 2022-09-22 at 12.23.09 PM3252×1844 432 KB

Had the same issue, that helped. Thanks!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.