One alert for all unique event.action from all events in last 30mins

jancodenew · August 3, 2021, 12:59pm

Hi,
Version: ELK 7.13
Need to generate a single alert for all events with unique event.action feild values in last 30minute.

Can someone please let me know which rule type I can use here? Also please share if you have any sample.

I have tried following without success.

Threshold rule Detection - But here I have to give a threshold number and unique value number, in my actual requirement there is no such number limit.
Custom Rule: There is no option to aggregate/group by one field and send alert based on this.

Thanks in advance.

rw-access · August 23, 2021, 3:49pm

What if you do this?

system · September 20, 2021, 3:50pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Problem with alerting Elastic Security elastic-stack-alerting	3	318	November 4, 2022
Threshold rule : how to? Elastic Security	3	2206	February 28, 2022
Detection rules that only alert on the 1st detection of an event Elastic Security detection-rules	2	622	January 4, 2022
How do I create an alert to for a specific behavior of a unique field value Elasticsearch elastic-stack-alerting	2	718	July 3, 2018
Log Alerts - Latest Events Kibana elastic-stack-alerting	0	7	October 21, 2024