Hi Team,
I am trying to write a threshold rule but failing to find the exact results. Can someone please help? I have nginx logs pouring in and wanted to setup the threshold alert so that if source.ip >=750 from single IP it should send me the notification. I put that in a rule but still unable to match the exact result. Here is the snip
I am not able to capture the value and please help me with this?
TIA
Blason R
Hi @Blason ,
What stack version are you on?
One problem that stands out in the snip is that both "Group by" and "Count" are looking at source.ip. Since "Count" is counting up the different source.ip values in each bucket after the buckets are created by grouping together documents with the same source.ip values, the result of "Count" will almost always be 1. We added validation in recent versions to disallow using the same field for both "Group by" and "Count".
An example use case for "Count" would be something like "Group by" host.name and "Count" by user.name >= 5, if you were interested in looking for hosts where 5 or more users have accessed that host.
However, since the minimum "Count" is set to 1 in the screenshot, this should still work. I would suggest also checking to ensure that the rule interval and additional lookback are set long enough that at least 700 documents with a single source.ip value are in a single rule interval. For example, with a rule interval of 5 minutes and additional lookback of 1 minute, you would need to have 700 documents with a particular source.ip value in the last 6 minutes for the rule to trigger an alert.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
