I am learning to use ElastAlert. I would like to run multi cardinality rule by ElasAlert or using a better solution.
For example,
filter:
- query:
query_string:
query: "message: *A*"
filter:
- query:
query_string:
query: "message: *B*"
filter:
- query:
query_string:
query: "message: *C*"
I have few condition need to monitor, any of them lower than 1 message per minute I will need to received an alter. Is that possible to be run in one rule or I can run it in a multiple process?
You can configure your rule_x.yaml file like
filter: - query: query_string: query: "message: A OR message: B OR message: C"
and follow the other configuration options in the documentation https://elastalert.readthedocs.io/en/latest/