Log threshold rules does not allow filtering with boolean fields

qatium-developers · October 21, 2022, 8:37am

Hello,

we are trying to generate a Log Threshold rule that requires checking a boolean field to detect if the alert must be raised or not, but UI interface does not allow to use this kind of fields.

We have checked the documentation and it does not mention anything related to this.

Here is a screen capture of the rule form:

And here is the field in the index:

As a workaround we are planning to remap that field to a text/keyword field type, but we want to know if there is another workaround or if it is a bug or a planned feature.

Thanks in advance.

stephenb · October 22, 2022, 5:35am

Perhaps try an Elasticsearch Query Rule

qatium-developers · October 25, 2022, 10:58am

Thanks, we will try and post here an update.

qatium-developers · October 26, 2022, 10:10am

@stephenb Thanks, we are able to use boolean field types using Elasticseach query based rules, although generating it is far more complex than using Log Threshold rules.

Do you know if there is a plan to include those field types in Log Threshold rules?

Topic		Replies	Views
Kibana alert on boolean field possible? Kibana elastic-stack-alerting	3	734	December 1, 2020
Which Rule Type is Better to Monitor the data streams and raise an alert Elastic Observability	4	257	September 12, 2023
Alerting on index aggregation with filter Kibana elastic-stack-alerting	2	1114	September 6, 2022
"logs threshold rule" adding comparator: "MATCHES" Elastic Observability	0	185	September 27, 2023
Create an alert based on contradicting logs Kibana	5	300	December 4, 2020

Log threshold rules does not allow filtering with boolean fields

Related Topics