Rule with index connector - issue with {{alert.id}}

justme123 · February 1, 2023, 4:31pm

Hello all,

I hope that I write in a good place.

I'm newbie with ELK and I need help with rule.

So I have a rule with index connector, when I add

"alert.id": "{{alert.id}}"

in index in discover logs show me only :

alert.id : "*"

I do not know how can I fix that.

Thanks in advance for any help.

simianhacker · February 1, 2023, 5:38pm

Which rule is this?

justme123 · February 1, 2023, 6:09pm

This is alert rule created by me. With index connector.

simianhacker · February 1, 2023, 8:46pm

Right, but which rule type? Metric Threshold, Inventory Threshold, Log Threshold, Elasticsearch Query...

justme123 · February 1, 2023, 9:09pm

This is Log threshold

simianhacker · February 1, 2023, 10:38pm

Thanks... for the Log Threshold Rule when you set a "group by" field, like host.name, then the alert.id would equal the value of the host.name, like db.foo.com. For Log Threshold rules without a "group by" field, we set the alert.id to * (an asterisk), which represents "everything".

Topic		Replies	Views
Alerting on index aggregation with filter Kibana elastic-stack-alerting	2	1120	September 6, 2022
Using document properties in alert index rule Kibana elastic-stack-alerting	4	1618	February 27, 2022
Rules and Connectors: Include Original Event Elastic Security	1	331	June 16, 2022
Problem with threshold alert and index connector Kibana elastic-stack-alerting	6	201	May 4, 2024
Issue with rules creation SIEM detection-rules	15	1717	May 5, 2022

Rule with index connector - issue with {{alert.id}}

Related topics