Hi, I'm trying to create alert in kibana for the device_id creating highest number of logs and trigger a mail( we have number of edge device connected and file beat is installed to collect the logs and it will send it to logstash and the to ES ). Can anyone please help me in creating customized script?
If I understand correctly, you want to aggregate your data by an entity identifier (devide_id) and be alerted when on the last X minutes there are a count of aggregated records per entity that goes beyond a threshold. Am I right?
With the new ES|QL language, you can check on aggregated results using the Elasticsearch Query rule type.
On this screenshot, using the Kibana Flights sample data, I want to know if there are more than five countries that have more than 500 records over the last 5 minutes.
Doing this query before with pure Elasticsearch DSL would have been pretty hard for me, but with ES|QL this is super easy.
Does this help?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.