Sorry, wasn't too specific in my question. Indeed it's the second case - the Log Threshold rule type.
The configuration I am using, as given by the API, is:
{
"id": "050370c0-7932-11ec-9178-69c31341d44d",
"consumer": "logs",
"tags": [],
"name": "MS Email blocked",
"enabled": true,
"throttle": null,
"schedule": {
"interval": "10m"
},
"params": {
"timeSize": 10,
"timeUnit": "m",
"count": {
"value": 1,
"comparator": "more than or equals"
},
"criteria": [
{
"comparator": "matches",
"field": "message",
"value": "S3150"
}
],
"groupBy": [
"host.name"
]
},
"rule_type_id": "logs.alert.document.count",
"created_by": "elastic",
"updated_by": "elastic",
"created_at": "2022-01-19T14:13:48.401Z",
"updated_at": "2022-01-24T12:38:11.422Z",
"api_key_owner": "elastic",
"notify_when": "onActiveAlert",
"mute_all": false,
"muted_alert_ids": [],
"scheduled_task_id": "4cbe8d20-79e9-11ec-9178-69c31341d44d",
"execution_status": {
"status": "ok",
"last_execution_date": "2022-01-25T07:53:59.784Z",
"last_duration": 345
},
"actions": [
{
"group": "logs.threshold.fired",
"id": "eedd6d50-7931-11ec-9178-69c31341d44d",
"params": {
"documents": [
{
"matching_documents": "{{context.matchingDocuments}}",
"rule_name": "{{rule.name}}",
"rule_id": "{{rule.id}}",
"conditions": "{{context.conditions}}",
"@timestamp": "{{context.timestamp}}",
"alert_id": "{{alert.id}}"
}
]
},
"connector_type_id": ".index"
}
]
}
In the screenshots below you can see that when I change the matching text query from the single-word to a more specific one I actually get more results. The longer string contains the original word, plus some other strings, so it follows that the query should match either the same number or fewer messages, never more (if it was an exact match).
(I manually added a matching string to the logs of one of my servers to verify the matching works OK - so there is exactly one result).
Let me know if there is more information you'd need! Thanks