Fire alert for each document with specific value in field


I'm currently struggling with Filebeat and Alerts.
I'm trying to build a system that would allow me to fire an alert for each document with a specific value in log.level field.

From what i tried i was only able to fire when N documents have a specific level. And when this alert is fired, it doesn't make one alert for each document but one telling me N documents have a log level of "Warn" (this is just an example).

Any help on how to do so would be appreciate.
Thanks by advance

Hi @Dzious ,

There are 2 ways to detect condition and take actions in stack: Kibana Alerting & Watcher.
You can check the difference here
I don't think Kibana alerting today allows to build condition based on field value the way. you described, but since watcher supports ES query you might be able to do it there.

Regards, Dzmitry

hi @Dzmitry,
Thanks for your help.
Unfortunately i'm only able to get the basic licence this means i wont be able to access watchers.
Moreover, Kibana Alerting allow me to use query based alerts. My problem is that i cannot fire an alert for each document individualy. Because Alerts require a minimum number of match

Hi @Dzious!

It sounds like you are using the Elasticsearch query rule type to create your own Elasticsearch DSL query and fire alerts based on the conditions. Is that correct? If so, you are correct in that there is currently no way to trigger an action based on each matching document. The rule will trigger a single action if the specified condition is matched and then the contents of each matching document will be available inside the context.hits action variable , where the maximum number of documents retrieved is controlled by the size parameter.

Hi @ying.mao !
Yeah that's exactly what i tried... Sad to learn that it's not possible
I wasn't aware of the context.hits action variable. Thanks for that.
is there a way for me to retrive a single document such as {{context.hits[i]}} with i < size ?
Thanks by advance

is there a way for me to retrive a single document such as {{context.hits[i]}} with i < size ?

Hi @Dzious! We use Mustache as our templating engine, so you can iterate over context.hits like this:

This is my document id {{_id}}

Or access a specific array element like this:

First hit document id: {{context.hits.0._id}}
1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.