Log threshold alert

Ronin · August 17, 2020, 9:09pm

We are attempting to make a Log Threshold alert, however it is sending alerts when it shouldn't be. The query we are trying to alert on is labels.application: "theapp" and message: "*limit request headers fields size*". Inside the log threshold alert we have:

WHEN more than or equals 1 log entry
WITH labels.application IS theapp
AND message MATCHES PHRASE limit request headers fields size
FOR THE LAST 10 minutes

Is there any documentation for the different types of alerts you can make? On https://www.elastic.co/guide/en/kibana/current/alert-types.html it only details the index threshold.

Kerry · August 20, 2020, 12:27pm

Hi @Ronin,

Sorry to hear you're having problems with log alerts.

The documentation for log alerts exist here, however they are limited at the moment. We are due to expand these soon.

The MATCHES PHRASE comparator uses a match phrase query for querying data.

It looks like you want to use a wildcard query instead, unfortunately this isn't supported yet, but we do have a ticket for it. I can't guarantee when it will be placed on the roadmap, but it's becoming a highly requested feature.

Topic		Replies	Views
Alerting based on the keyword in logs Logs elastic-stack-alerting	4	8367	February 3, 2021
"logs threshold rule" missing "comparator": "MATCHES" Kibana elastic-stack-alerting	1	158	October 23, 2023
Alerting on log data Logs elastic-stack-alerting	4	3948	August 31, 2020
Kibana Alerts - Log threshold keyword Kibana	3	635	September 28, 2020
Exact match on log message field Kibana elastic-stack-alerting	6	3104	February 22, 2022

Log threshold alert

Related topics