We are running below ES|QL query on Kibana to make a table of list of alerts triggered from a external Monitoring tool.
FROM winlogbeat-* | WHERE event.code == "3003" | stats Alert_Time = VALUES(@timestamp), Severity = VALUES(Severity), Name = VALUES(AlertName), ActiveID = VALUES(AlertActiveID), Status = VALUES(AlertStatus),Device_Name = VALUES(Device_Name) by @timestamp
When the new Alert generates, we get an event with “Status” field with value “ACTIVE”
When the Alert resolves we get an event with “Status” field with value as “CLOSED”
But now We want to create a table which shows only the alerts which are still ACTIVE and not resolved. Here only the key value which we can use to correlate the Alert Status is “AlertActiveID” field which is a unique number assigned a new alert when its generates and also same number will be assigned to new event when the same alert resolves.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.