One alert for all unique event.action from all events in last 30mins

jancodenew · August 3, 2021, 12:59pm

Hi,
Version: ELK 7.13
Need to generate a single alert for all events with unique event.action feild values in last 30minute.

Can someone please let me know which rule type I can use here? Also please share if you have any sample.

I have tried following without success.

Threshold rule Detection - But here I have to give a threshold number and unique value number, in my actual requirement there is no such number limit.
Custom Rule: There is no option to aggregate/group by one field and send alert based on this.

Thanks in advance.

rw-access · August 23, 2021, 3:49pm

What if you do this?

system · September 20, 2021, 3:50pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.