Kibana, unique or distinct count alerting


Using Kibana Discovery and then Alerting is it possible to create an alert based on the count of a unique field value during a particular time period? For instance, in Splunk I can alarm a query such as this:

index=ct-inf host="cms-prod-app" sourcetype="ix-ixiasoft-ccms" "Unable to authenticate user" | stats count by username | where count >= 4

So if a particular username gets 4 authentication failures in a particular time period Splunk will send an alert.

Is this possible in Kibana?

I also set this up in a Data Table visualization and then tried to cut/paste the json request into a Kibana Monitor, but it did not get any hits as expected.


Hi @earlsanchez. It sounds like you might be looking for Log Threshold Alerts. You can count log entries by grouping over a field such as username and setting conditions for failed authentication and time windows.

@nickpeihl, thank you for your input. Unfortunately, we are using open source ELK stack which does not appear to have that functionality?

Hi @earlsanchez. Correct, Alerting is not available in the open source product.

@earlsanchez There has been some confusion lately ... You can use the Basic / Default distribution under the Elastic License 2.0 (which is Free to use) that distribution does have the basic alerting feature that you are looking for. It is the default distribution you get when you download from our download site e.g. here

This default distribution is governed by the Elastic License, and includes the full set of free features.

Oh and BTW that looks like a security use case where you might be able to use the Security App and Detections which are also free to use.

You might want to look at what is available for free here

Thank you @stephenb, yes we are already using the Alerting module.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.