netkey
commented
1 year ago sorry,elastalert is not maintained. Please use elastalert2.
Closed netkey closed 1 year ago
netkey
commented
1 year ago sorry,elastalert is not maintained. Please use elastalert2.
I need to implement an alert, but found that none of the existing rule types seem to meet my needs. My needs are as follows:
Index: client-log-* Query filter: index.keyword:"client-android" AND client.b_data.eventId.keyword:"9900013" Alarm triggering condition: When the value of the total number of records satisfying the above query rules/the unique count of app.useriden.keyword is greater than 100, the alarm will be triggered. The formula is: count()/unique_count(app.useriden.keyword)>100
How should I write this rule?