How to create alert monitor where hits is over 100

jamesyone · August 7, 2020, 7:31am

Hi-
Currently trying to create alert monitor in kibana where alert comes when count of certain object hits 100. For some reason, a single count triggers an alert... I want to make it so that 100 counts of the certain object than triggers an alert.. is it possible to do so? Would I just add count to the equation?

This is my current equation.. Trying to make it when 100 wafs triggers an alert!

Help is appreciated! Thanks

sai_kiran1 · August 7, 2020, 8:59am

Adding below condition after your search request should do that...

    "condition": {
        "compare": {
          "ctx.payload.hits.total": {
            "gte": 100
          }
        }
      }

Thanks,
Sai

jamesyone · August 10, 2020, 9:14am

Hi Sai,

should i put it after aggregations?

sai_kiran1 · August 11, 2020, 7:48am

It Should work before/after aggregations, you can try like mentioned below

"condition": {
        "compare": {
          "ctx.payload.hits.total": {
            "gte": 100
          }
        }
      },
"aggregations": {}
}

Thanks,
Sai

jamesyone · August 12, 2020, 5:06am

Hi Sai,

I tried doing that but its not letting me update.
Did I do this right?

{
"size": 0,
"query": {
    "bool": {
        "filter": [
            {
                "range": {
                    "EdgeEndTimestamp": {
                        "from": "{{period_end}}||-5m",
                        "to": "{{period_end}}",
                        "include_lower": true,
                        "include_upper": true,
                        "format": "epoch_millis",
                        "boost": 1
                    }
                }
            },
            {
                "match_phrase": {
                    "FirewallMatchesActions": {
                        "query": "drop",
                        "slop": 0,
                        "zero_terms_query": "NONE",
                        "boost": 1
                    }
                }
            },
            {
                "match_phrase": {
                    "FirewallMatchesSources": {
                        "query": "waf",
                        "slop": 0,
                        "zero_terms_query": "NONE",
                        "boost": 1
                    }
                }
            }
        ],
        "adjust_pure_negative": true,
        "boost": 1
    }
},
        "condition": {
           "compare": {
           "ctx.payload.hits.total": {
           "gte": 100
      }
    }
  },
"aggregations": {}

}

James

sai_kiran1 · August 13, 2020, 12:58pm

James,

My bad, I was assuming the alerting is via watchers where condition can be included in painless script. Am still in 7.6 version and Alerting feature is not available. Sorry for the confusion, do let me know if you find the solution that would help me when we Upgrade.

Thanks,
Sai

jamesyone · August 17, 2020, 3:44am

BUMP

system · September 14, 2020, 3:44am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Alerts based on increase in logged value, rather than specific threshold Kibana elastic-stack-alerting	3	1109	February 15, 2021
Need help with creating Kibana Alert Elasticsearch elastic-stack-alerting , elastic-stack-sql	9	1532	May 17, 2021
Alerts based on a field Kibana elastic-stack-alerting	4	1838	September 24, 2020
Threshold rule : how to? Elastic Security	3	2204	February 28, 2022
Alerting related queries Kibana elastic-stack-alerting	2	233	March 23, 2023

How to create alert monitor where hits is over 100

Related topics