Hi, welcome to the forums! Even though we don't offer help with non-Elastic products like Elastalert in the forums, I think your question can be answered in a simple enough way. I'm moving your post to the Elasticsearch section of the forum because you're asking for help with data modeling and queries.
-
The thing you're asking for is not possible using Elasticsearch only, you will need to add extra logic somewhere outside of Elasticsearch to do this.
-
Can you extract the "error type" into a separate field in your documents, which will be the unique key? This is most commonly done at ingestion time, such as using Logstash or an ingest node. Elasticsearch is best with semi-structured data, not fully unstructured data.