How to alert based on filter query count? Index Threshold Rule Type?

Elastic Stack Kibana
1

I want to set up an alert in Kibana Observability where if the number of records returned for event.dataset: login and event.outcome: failure is greater than 10 for the past minute, then set the alert rule to active.

I'm not sure which rule type I'm supposed to use for that. I read that there is an Index Threshold Rule Type: Index threshold | Kibana Guide [8.5] | Elastic . But I don't see it available in my Kibana version 8.5, see this screenshot.

image
image482×801 39.5 KB

What rule type should I be using? Or how should I go about accomplishing my goal of being notified of failed login attempts within the past minute?

2

Hi @learningelastic!

Alerts which are available in Observability UI is only a subset of all available alerts in Kibana. To see the whole list, please navigate to Stack Management > Rules page.

There is also "Elasticsearch query" type that might fit your use case. You can choose from 2 configuration options: via DSL query or via KQL/Lucene and UI controls:

Screenshot 2022-12-05 at 10.41.49
Screenshot 2022-12-05 at 10.41.491920×1221 89.2 KB

Screenshot 2022-12-05 at 10.42.09
Screenshot 2022-12-05 at 10.42.091920×1598 115 KB

The same rule type can also be defined from Discover page:
Screenshot 2022-12-05 at 10.40.51
Screenshot 2022-12-05 at 10.40.511920×813 103 KB