Hello there,
On our cluster we are indexing logs from machine pairs i.e. machine01 and machine02 is a pair, thus I have created an Elasticsearch query Alert when my query which returns log amount containing hostname machine01 and machine02 are below 1 it should fire an email alert.
I've successfully implemented it under rules and connectors, but while doing this I discovered a bug and wanted to share. When you choose Elasticsearch query as your alert type under "STACK RULES", you are given the option to choose the index and size. On this option I have set the size to 0 since I do not need the response _source details, I only care about how many hits I have.
After this I can save the rule and it is saved successfully. But when I try to edit this rule, It says "Expression contains errors." which is weird because kibana saves the rule and do not throw any errors when I first save it. After some trying out, I have discovered you cannot set size to 0 when creating Elastic query alerts. This might be a minor bug, or a feature but why can't we create rules with 0 size responses?
Best regards.