Anomaly alerting
- Below is a condition to check for a field called mos which is random integer [1,8]
-
Leaving the condition like this the watcher would use the 68-95-99_7 rule, as a way to check for anomalies.
- Sentinl issue 487
- Expected when creating blacklists is that the anomaly is checked in general towards an statistical rule and not something else. Rule
{
"script": {
"script": "payload.hits.total > 0"
},
"anomaly": {
"field_to_check": "mos"
}
}
- Unfortunately there is no specific way to pass useful information to the body of the email or similar
- It’s up to the individual user to create reasonable alert bodies
ANOMALY ALERT on index: mos-* !
- Another way to do this is by specifying normal values
- Lets say this index contains logs of http status codes
- Alerts when there has been 10000 non 200 responses from the query
{
"script": {
"script": "payload.hits.total > 10000"
},
"anomaly": {
"field_to_check": "http_status",
"normal_values": [
200
]
}
}