Kibana alerts to notify only if the error persisted in the last 1 hour

gadelkareem · October 3, 2022, 12:08pm

I am scanning a time series index of logs and sending an alert every hour if an error occurred, the check is happening every min. But I would like to like to send the alerts only if the error was repeated in the last hour, meaning if it occurred one time or within a small time range then stopped then no alert should be sent . Is there a way to achieve that?

Index mapping:

{
  "test-index": {
    "mappings": {
      "dynamic": "false",
      "properties": {
        "@internal": {
          "properties": {
            "event_lag": {
              "type": "long"
            }
          }
        },
        "@timestamp": {
          "type": "date"
        },
        "app": {
          "log": {
            "level": {
              "type": "keyword"
            },
            "message": {
              "type": "text"
            }
          }
        }
      }
    }
  }
}

jsanz · October 27, 2022, 11:33am

I'm not an expert but this seems to be a use case for Elasticsearch Event Query Language (EQL) and the Security solution alert of "event correlation" type.

The main point here (if I understood correctly) is that you want to find two or more events that happened within a defined amount of time so this does not fit the regular stack rule types.

I'd suggest to review the documentation and overall structure of the Security solution and if it fits your requirements start playing with it and feel free to open new posts at the Security subforum.

system · January 19, 2023, 6:38am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.