For example, if I want a rule to check logs every 10 hours and apply a 1-hour span for analysis, how would I set this up?"
This is my rule:
from logs-*
| WHERE (CIDR_MATCH(source.ip, "10.0.0.0/8") OR CIDR_MATCH(source.ip, "172.16.0.0/12") OR CIDR_MATCH(source.ip, "192.168.0.0/16")) and url.domain is not null and @timestamp >= now() - 60seconds
| stats upload = sum(source.bytes) by url.domain, source.ip
| where upload >= 600
i want start this rule every hour but i want to sum data for minutes blocks.
In splunk exists span, but in kibana i dont kno about alternative.
For the Elasticsearch Query rule type, using ES|QL, you don't need to apply the @timestamp >= now() - 60seconds condition, as the rule adds a filter for this automatically, based on the Time Window parameter.
However, I'm guessing this may not work for your purpose anyway, as it sounds like you need some partitioning / grouping and I assume want to alert on individual partitions / groups.
Currently the rule generates an alert if the search returns ANY matches. So you would need to construct an ES|QL query to work in that fashion.
I can't really help on ES|QL directly, I've used it a bit but am far from an expert. I suggest you post a new question with ES|QL in the title, describing what you'd like to query, and hopefully we can get someone more knowledgeable to help out.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.