I have created many alert rules in Kibana, however currently I am facing a strange issue, when I create Log Threshold Rule with single condition it is working file and Triggering the alert, but if I add multiple conditions to it, alert is not getting triggered, to validate I have checked log count in Discover section with the same condition and time range/window and it is showing the documents
KQL : service.name : "aem-shared-a-publisher-service" AND http.response.status_code : 429
532 log entries in the last 5 mins. Alert when > 75.stephen discuss test Log threshold rule is active.532 log entries have matched the following conditions: k8s.container.name equals cart and service.name equals cartView alert details
Also, as mentioned in my 1st post, it is working for me for other Alert rules, but not this one, I also tried only one condition at a time just to test, individually both of them are working fine and triggering the alerts, but not working together
Sorry I missed the version 8.5 is very old and lots of updates and fixes especially with respect to alerts you should think about getting to 8.19.x in prep to 9.x
When you say the alert is not triggered where are you checking/ to validating that?
Have you deleted the rule and recreated it.
If it is working for 1 alert not the other it is usually the alert condition itself
You could test with elasticsearch query rule with your KQL
Agree with you point on considering to upgrade the cluster, however I am not sure that I can achieve it now due to other dependencies.
I already have many alert rules configured and those are working fine, based on our new requirement I was trying to create this new alert rule, and observed this unexpected behavior
I have already tested KQL and it is Discover (pasted the output in previous post)
In Stack Management > Rules, click Create rule. Select the Elasticsearch query rule type then fill in the name and optional tags. An Elasticsearch query rule can be defined using Elasticsearch Query Domain Specific Language (DSL), Elasticsearch Query Language (ES|QL), Kibana Query Language (KQL), or Lucene.
But KQL alert is not available in 8.5 .... You could try the DSL Rule with the same conditions
My Guess there is some bug / behavior or something,
I noticed that the status code is numeric.
But the query is perhaps treated as a keyword etc... which should be fine but maybe it is not
The comparators available for conditions depend on the chosen field. The combinations available are:
Numeric fields: more than, more than or equals, less than, or less than or equals.
Aggregatable fields: is and is not.
Non-aggregatable fields: matches, does not match, matches phrase, does not match phrase.
Maybe you should treat as a Numbers More than or Equal 429 or something
Really, before spending too much time, I would work on upgrading. 8.5 is 3.5 years old.... a lifetime in Elasticsearch world.
In 8.19 you will have many more choices ESQL rules are quite powerful...
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
.... You could try the DSL Rule with the same conditions
,