Hello,
Is it possible to limit number of alerts on rule match? I created custom query to that matches ~ 100 events per one hour, but I want to have only one alert for this and all the events shoud be connected to this alert. Next hour should be second alert and so on.
How to do that?
Thanks for help.
Hi,
Using the API you can set a max_signals options to limit the amount of signals created per execution.
Using this you can do the following:
{
...
"max_signals": 100,
"from": "now-70m",
"interval": "1h",
...
}
Hi sholzhauer,
thanks for your answer - it raised more questions than answers 
max_signals: 100, yet the number alerts in single execution is 160/175/136 depending on number of matched events. So this setting doesn't work correctly or am I missing something?max_signals: 1 and result was 2 alerts, but in there is > 100 matched events so it just skips the other events - that's not what I want.To be more specific - I want to create rule to detect routing issue on perimeter. My logstash tags all our connections as external, that doesn't contain our public IP's in source.ip or destination.ip. I can find them with query network.direction: external. I would like to detect these issues, but I only want one alert with all matching events mentioned in alert info.
Is that possible to do?
Thank you
I think you are then looking at a threshold rule. This will group all of the events which match under it.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
