kiwiz
commented
8 years ago You can create an expression filter via the Advanced tab. Something like content['count'] > 1 && content['count'] < 10 will work.
Closed hjdr4 closed 8 years ago
kiwiz
commented
8 years ago You can create an expression filter via the Advanced tab. Something like content['count'] > 1 && content['count'] < 10 will work.
kiwiz
commented
8 years ago That said, I'd like to fix this as the current behaviour with aggs and a result filter is not intuitive.
Is it possible possible to alert on cardinality having some range. ex: *| agg:terms field:event_data.TargetUserName| agg:card field:event_data.IpAddress
This returns the unique count of ip adresses per user. I want to trigger an alarm when the count is in range [x TO y].