How to set threshold for multiple log sources those are sending logs using single index


(Anuj Shrivastava) #1


i have a condition here...

Logsource 1 = Malwarebytes
Logsource 2 = Symantec
Logsource 3 = Vectra IDS

Index name = logstash-security

All are combined in a single Index, and I want to monitor logs sources if any of them stops sending me logs, I need to trigger an alert with the specific Log source Name, or by using any field of missing log source.
right now i am able to monitor and put threshold alerts on the index but i am not able to put threshold on logsource basis, by using any field value or any other way.
Is it possible? please help

(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.