I am trying to create a threshold alert for a keyword field called status
The status field has 3 possible values
Suspended
Rejected
Warning
Well I do not care for Warnings
I would like alerts for count of Status =
Suspended > 1 in the last 5 minutes
Rejected > 10 in the last 5 minutes
Using the GUI In Kibana for creating threshold alerts
it seems I cannot filter out the results i want and focus the alert to fire only when one type of status is bigger that the threshold.
if there is away on just focus on the key = Rejected only instead of putting all 3 types status together?
Here is a sample of the email i get i put the whole payload into it the body to see the available info
Too many Rejections in the last 5 min
[{name=hl7-rejections, watcherui={trigger_interval_unit=m, agg_type=count, time_field=@timestamp, trigger_interval_size=1, term_size=3, time_window_unit=m, threshold_comparator=>, term_field=status, index=[hl7log*], time_window_size=5, threshold=6, agg_field=null}, xpack={type=threshold}}] [{results=[{value=11, key=Warning}, {value=7, key=Rejected}]}]