I have a kibana query to find all transactions which are either having result "HTTP 5xx" or a response code greater than equal to 400
service.name : "my-service" AND transaction.name : "my-transaction" AND (transaction.result: "HTTP 5xx" OR http.response.status_code >= 400)
I need to use this same query in ElastAlert Rule (.yaml file). I can use status code in range and which will play as AND clause with query, but how I could I use transaction.result below:
filter:
- query:
query_string:
query: 'service.name : "my-service" AND transaction.name : "my-transaction"'
- range:
http.response.status_code:
gt: 399
Can anyone help how to include this?
You can use and and or in your filter definitions:
filter:
- and:
- query:
query_string:
query: >-
service.name : "my-service" AND transaction.name :
"my-transaction"
- or:
- term:
transaction.result: HTTP 5xx
- range:
http.response.status_code:
gt: 399
Or you can also get rid of the query_string query and spell it out into individual queries:
filter:
- and:
- term:
service.name: my-service
- term:
transaction.name: my-transaction
- or:
- term:
transaction.result: HTTP 5xx
- range:
http.response.status_code:
gt: 399