How to write the alarm rules I need？ #1142

netkey · 2023-03-23T03:42:22Z

netkey
Mar 23, 2023

hello,I need to implement an alert, but found that none of the existing rule types seem to meet my needs. My needs are as follows:

Index: client-log-*
Query filter: index.keyword:"client-android" AND client.b_data.eventId.keyword:"9900013"
Alarm triggering condition: When the value of the total number of records satisfying the above query rules/the unique count of app.useriden.keyword is greater than 100, the alarm will be triggered. The formula is: count()/unique_count(app.useriden.keyword)>100

How should I write this rule?

Answered by jertel

Mar 24, 2023

ElastAlert 2 can handle percentage matches, where a secondary filter count is divided by a primary filter count, and alerts when that ratio exceeds a set threshold. But I don't believe there is a way to have it perform a count of unique items. That would look more like a hybrid of the cardinality and percentage match rule types, which does not currently exist. If you'd like to submit a PR to the project with such a rule type, I'm open to it.

View full answer

jertel · 2023-03-24T22:52:37Z

jertel
Mar 24, 2023
Maintainer

ElastAlert 2 can handle percentage matches, where a secondary filter count is divided by a primary filter count, and alerts when that ratio exceeds a set threshold. But I don't believe there is a way to have it perform a count of unique items. That would look more like a hybrid of the cardinality and percentage match rule types, which does not currently exist. If you'd like to submit a PR to the project with such a rule type, I'm open to it.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How to write the alarm rules I need？ #1142

{{title}}

Replies: 1 comment

{{title}}

Select a reply

How to write the alarm rules I need？ #1142

netkey Mar 23, 2023

Replies: 1 comment

jertel Mar 24, 2023 Maintainer

netkey
Mar 23, 2023

jertel
Mar 24, 2023
Maintainer