Hi,
I don't understand well the extra condition you want to add
Your current input query looks for "ERROR" value for the field "STATE" from the last 15 minutes.
If you want to look for different data in the same watch, you can use chain inputs.
There is a thread in this forum with a full example: A watch alert example based on two different searches using CHAIN input and Painless script condition
For example, you can set
- One search input named "errors" with your current query
- Another one named "all_messages" with a similar query minus the
"ERROR"filter to get all messages in the last 15 minutes.
Customize them with your desired searches.
Then, you may use a script condition to be able to evaluate two conditions.
Something like:
"condition": {
"script": {
"source": "return ctx.payload.errors.hits.total >= 15 && ctx.payload.all_messages.hits.total >= 50",
"lang": "painless"
}