Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): v 2.3.0
Describe the issue:
I need help with this.
I’m trying to build a monitor and alarm system in order to get emails when a certain data comes to our logs.
Everything works fine, but the next issue:
I have a field that gives a certain error. That field is called “Response_code”. and the results are numbers and may vary: 403, 409, 510, etc
I need to create an alert when 5 or more “Response_code” results are the same, but only from results from 400 to 510 and with the 404 exception (I don’t care about it). FOr now, the further I get is to create a monitor with this query which apparently works:
{
“size”: 0,
“query”: {
“bool”: {
“filter”: [
{
“range”: {
“@timestamp”: {
“from”: “{{period_end}}||-1h”,
“to”: “{{period_end}}”,
“include_lower”: true,
“include_upper”: true,
“format”: “epoch_millis”,
“boost”: 1
}
}
},
{
“range”: {
“returnCode”: {
“from”: 400,
“to”: 403,
“include_lower”: true,
“include_upper”: true,
“boost”: 1
}
}
},
{
“range”: {
“returnCode”: {
“from”: 405,
“to”: 510,
“include_lower”: true,
“include_upper”: true,
“boost”: 1
}
}
}
],
“adjust_pure_negative”: true,
“boost”: 1
}
},
“aggregations”: {
“metric”: {
“value_count”: {
“field”: “returnCode”
}
}
}
}
BUT, I need to get the alarm not when I get 5 or more errors like that, I only want them when I get 5 or more of ONE single result. I mean, if I get 2 errors of the result 400, and 4 of the result 500, I don´t want an alarm. I only want it if there are 8 results of 500 or 6 times the 501 result.
I guess I can somehow write a query when creating the “trigger” but I don’t know how. Any help?
I hope you understand me guys, because I’m really desperate.
Configuration:
Relevant Logs or Screenshots: