Observability Alerting

Elastic Observability
1

I've made a couple hundred Observability rules to detect when 0 logs are received from specific hosts (monitors logs are being forwarded to Elastic). However, my rules run every 60 seconds (to minimise time to detection of a host not forwarding logs). The issue im having, is if you see an alert, you make a case and attach the alert to track/investigate/resolve the issue. But When your rule runs again 60 seconds later it generates another new identical alert. This means its impossible to have a clean view of your alerts page that shows only issues that are yet to be documented in a case. At a glance, you dont know what is being dealt with already and what isnt….it seems really silly.

Any advice is greatly appreciated.

Thanks

2

Hi @MuchoRiceGobler Welcome to the community.

Couple questions

What version are you on?

Exactly what type of rule are you creating?

Can you share and example rule?

Are you aware of Action On status change which only notifies once when the alert is triggered?

You also mentioned 100s of alerts I am going to assume that is per host or data type ...are you aware you may be able use group by to reduce the number alerts but cover you cases.

There also is another fundamental way to monitor last data checkin by using a latest transform... But let's understand your alerts first...

So share some more details and we might be able to help.