Kibana "count by" in Alert monitor/trigger

Hello. I am trying to figure out how to turn this Splunk alert into a kibana alert. Essentially, I want to be notified by Kibana when the count of ClientRequestHost is greater than 300 in a 1min period (or time span) for more than 20 mins straight. How can I accomplish this? How can I have a "count by" in a Kibana Alert/Trigger?

Splunk alert I am trying to mimick in Kibana:
ClientRequestMethod=POST AND (ClientRequestURI=ValidateUsernameAndPassword OR ClientRequestURI=Isotope/API/Isotope) EdgePathingOp=wl
| bin _time span=1m
| stats count by ClientRequestHost,_time
| where count > 300
| stats count by ClientRequestHost
| where count > 20

What I have created so far in Kibana monitor
{
"version": true,
"size": 0,
"query": {
"bool": {
"must": [
{
"range": {
"EdgeStartTimestamp": {
"from": "{{period_end}}||-20m",
"to": "{{period_end}}",
"include_lower": true,
"include_upper": true,
"boost": 1
}
}
}
],
"should": [
{ "match": { "ClientRequestURI": "Isotope/API/Isotope"}},
{ "match": { "ClientRequestURI": "ValidateUsernameAndPassword"}}
],
"minimum_should_match" : 1,
"filter": [
{ "term": { "EdgePathingOp.keyword": "wl"}},
{ "term": { "ClientRequestMethod.keyword": "POST" }}
]
}
}
}

This is one of the default alert types using Kibana watcher, which is documented here: https://www.elastic.co/guide/en/kibana/7.10/watcher-ui.html

If you don't see Watcher, you might be using OpenDistro. We don't offer support for OpenDistro in these forums because it's not an Elastic product.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.