Using Kibana Discovery and then Alerting is it possible to create an alert based on the count of a unique field value during a particular time period? For instance, in Splunk I can alarm a query such as this:
index=ct-inf host="cms-prod-app" sourcetype="ix-ixiasoft-ccms" "Unable to authenticate user" | stats count by username | where count >= 4
So if a particular username gets 4 authentication failures in a particular time period Splunk will send an alert.
Is this possible in Kibana?
I also set this up in a Data Table visualization and then tried to cut/paste the json request into a Kibana Monitor, but it did not get any hits as expected.
Hi @earlsanchez. It sounds like you might be looking for Log Threshold Alerts. You can count log entries by grouping over a field such as username and setting conditions for failed authentication and time windows.
@earlsanchez There has been some confusion lately ... You can use the Basic / Default distribution under the Elastic License 2.0 (which is Free to use) that distribution does have the basic alerting feature that you are looking for. It is the default distribution you get when you download from our download site e.g. here
This default distribution is governed by the Elastic License, and includes the full set of free features.
Oh and BTW that looks like a security use case where you might be able to use the Security App and Detections which are also free to use.
You might want to look at what is available for free here
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.