There are two fields in each log entry (elasticsearch document), which are userid and ipaddress. I want to fire an alert if the same user logs into the system using 2 or more ipaddresses in the past 10 minutes. So the query should be something like "select count(distinct ipaddress) from index group by userid".
But it seems that watcher doesn't support "distinct count", does anyone have any suggestion on how to resolve this? Thanks.
The important part to understand with regards to watcher is the fact, that most issues are not watcher issues, but the question if you are able to write a query that contains the required information.
In this case it is about getting a distinct count. The good news is that you have exactly this feature available in the aggregations, by using the cardinality agg.
Using this you should be able to write a such watch.
Thanks, sounds good!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.