Maybe stupid newbie question here.
I want to create a rule that triggers an alert when "count(distinct(source.ip))" is above a certain threshold.
Hard time figuring out how the 'Group by" and "Count" fields must be associated for that.
Hello,
I believe what you are looking for is the below:
This will trigger when there are 10 (or more) unique source.ip values if there are more then 200 events in total for my query.
- Create a query which will match the relevant events.
- Determine how manay events there should be in total before triggering.
- Determine your cardinality (unique) field and how many different values there should be.
You can for example set threshold to 1 and unique values to 10 to make sure it will trigger.
I'm under the impression that the query preview result are not reliable, which can be misleading.
Using that example, I expect to have one alert showing up 6 days ago with the settings where the graph seems to indicate hundreds of detections.
I just did a test with threshold=200 and Unique Values=6700 : this is roughly the value that doesn't trigger anything in the last hour.
Kibana UI folks should think about the effectiveness of this "quick query preview" feature : it would be much easier to have a count of would-be alerts on a specific time frame. I.e. I known this rule should have triggered 6 days ago : let's see how this rule would have behaved on that timeframe.
1 Like
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.