I am currently working on Kibana Alerting and what I wanted to perform is basically "Log threshold".
Please see attached for the details of the alert rule.
I wanted to match phrase of the word "warnings" on the field "message". However, when i saved it, the alarm is not "Active" status went from active to OK. When i removed the AND message MATCHES PHRASE "warnings" that's when the alert is going to be in Active Status and is firing Anyone knows what is wrong with my ruling?
Is it possible you're trying to match a different field, and not message?
Have you tried using matches and not matches phrase?
The behavior you're seeing seems to indicate that it is finding docs matching the condition when it's "Active". When it changes to "OK" that means it is no longer active - but was previously (we will be renaming "OK" to "Recovered" in a future release).
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
