How to get more filter in the "alarm" system

Hello! I'm working with Kibana and I need to know if something I need can be done.

I'm creating alerts from the system, and as I can see I only can create on single filter (see the screenshot attached)

2022-06-16_17h09_12

I would need somewho to get this done:

Get an alarm raised when an error 503 appears in the logs 3 or more times, in a proper field (for this example: http_status_code field is 503). BUT if I do this, I get lots of false alarms, because this error can come from various "hosts" defined in other field called "host".

I can set the trigger to raise and alarm when 3 or more 503 errors appear in the logs, but I need the system to separate the host when an error appears.

Example:

For the last 5 minutes I get logs from two hosts with this information:

Host:number 1
http_status_code: 503
Host:number 1
http_status_code: 503

Host:number two
http_status_code: 503
Host:number two
http_status_code: 503

Now I will get an alarm, becasuse I got 4 errors 503, but I don't want that, because I only want the alarm to rise when I get this error 3 or more times in THE SAME host.

Can this be done somehow?

Any help?

Thanks in advance.

@Patrick_Mueller / @ying.mao can we please get some help? Thanks,
Bhavya

The UX here doesn't appear to be Kibana - is this OpenSearch? If this does happen to be Kibana, what rule type is this?

OpenSearch/OpenDistro are AWS run products and differ from the original Elasticsearch and Kibana products that Elastic builds and maintains. You may need to contact them directly for further assistance.

(This is an automated response from your friendly Elastic bot. Please report this post if you have any suggestions or concerns :elasticheart: )

Yes, it's OpenSearch. Sorry about that.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.