Send alert only for first match in certain timeframe

[pranjalii]

I have a case where if the application I'm monitoring encounters an error, the error log appears every 3 seconds. I want to create an Elastalert rule which will send alert only for the first match because all others are exact copies EXCEPT for the timestamp in the message. The rule I have currently (below) sends a list of all these error messages.

Current Rule:

name: Application Alert

type: frequency
index: filebeat-*
run_every:
  minutes: 10
num_events: 1
timeframe:
  minutes: 10

realert:
  minutes: 30

aggregation:
  minutes: 10

query_key: ["message"]

filter:
- query_string:
   query: '"some string here" AND "another string here"'

alert:
- "slack"

slack_msg_color: danger
slack_webhook_url: SlackWebHookURL

alert_text_args: ["message", "fields", "@timestamp"]
alert_text: "Details = {1} \n UTC Time = {2} \n Log = {0}"
alert_text_type: alert_text_only

Desired behavior:

Slack alert for above rule should have only one error log line even though there are 100s of matches in the 10 minute timeframe because only thing unique about them is the timestamp.

How do I go about it? Thank you!