Hi
i have a condition here...
Logsource 1 = Malwarebytes
Logsource 2 = Symantec
Logsource 3 = Vectra IDS
Index name = logstash-security
All are combined in a single Index, and I want to monitor logs sources if any of them stops sending me logs, I need to trigger an alert with the specific Log source Name, or by using any field of missing log source.
right now i am able to monitor and put threshold alerts on the index but i am not able to put threshold on logsource basis, by using any field value or any other way.
Is it possible? please help