Logit.io

A Change alert matches when a certain monitored field value <code>compare_key</code> changes, the field must change for the last event with the same <code>query_key</code> field value.

This would allow you to receive alerts in scenarios such as if there is a match on two events for the same username field <code>query_key</code> and the country_name field <code>compare_key</code> is different in the same day <code>timeframe</code>.

Additionally, you can choose to <code>ignore_null</code> values, this will mean that events without a <code>compare_key</code> will not count as changed. Here is an example below:

name: "Change alert example" type: change index: "*-*" compare_key: country_name ignore_null: true query_key: username timeframe: days: 1 filter: - query: query_string: query: "type: login" alert: - "email" email: - "example@logit.io"

In addition, you can also provide a <code>timeframe</code> value to define the maximum time between changes, after which time period the previous value of compare_key will be forgotten.

Read Logit.io's <a href="https://help.logit.io/en/articles/3624510-an-introduction-to-alerting">introduction to alerting</a>

Learn <a href="https://help.logit.io/en/articles/3622196-how-do-i-create-a-new-elastalert-rule">how to create an ElastAlert rule</a>

Learn <a href="https://help.logit.io/en/articles/3633552-how-can-i-check-my-elastalert-rule-is-configured-correctly">how to ensure my ElastAlert rule is configured correctly</a>

Learn more about ElastAlert rules: if you'd like to learn more about ElastAlert rules from the people that built it, check out their <a href="https://elastalert.readthedocs.io/en/latest/ruletypes.html" rel="nofollow noopener noreferrer" target="_blank">cheat sheet</a>.

- Read Logit.io's <a href="https://help.logit.io/en/articles/3624510-an-introduction-to-alerting">introduction to alerting</a>
- Learn <a href="https://help.logit.io/en/articles/3622196-how-do-i-create-a-new-elastalert-rule">how to create an ElastAlert rule</a>
- Learn <a href="https://help.logit.io/en/articles/3633552-how-can-i-check-my-elastalert-rule-is-configured-correctly">how to ensure my ElastAlert rule is configured correctly</a>
- Learn more about ElastAlert rules: if you'd like to learn more about ElastAlert rules from the people that built it, check out their <a href="https://elastalert.readthedocs.io/en/latest/ruletypes.html" rel="nofollow noopener noreferrer" target="_blank">cheat sheet</a>.

Find out more about how to create a change alert for your OpenSearch logs or metrics in this article from Logit.io.

Additional Options

What's next?