I would like to set up an alert that follows a logic like:
Trigger when:text:"ErrorCode: 1036", IP count > 5, now-1h, where the IP is an unknown constant.
I end up where I always need to specify the IP in advance or manually review a dashboard to get the information that I want rather than have it as an automated watcher alert.
Is it possible to modify the following watcher alert set up for a known specified IP to trigger for count >5 for an unknown IP ?
try using an aggregation, that aggregates on the IP, so that you can see if there is a bucket, with a document count > 5... if there is one or more ip addresses with a count greater than five you will see it.
you can use the Execute Watch API to configure an alternative input, that should make your condition trigger in order to check if everything is working.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.