(Si Ya Ni) #1


Is there a way I can set the alert condition to match a string exactly, for example, “Unknown Protected Resource”? The documentation said it will trigger the alert as long as it matches one of the words.

(Jochen) #2

The value of the field content alert condition is basically a quoted Lucene/Elasticsearch query.
So if you create a field content alert condition for the field “foobar” with the value “Lorem ipsum dolor sit amet”, it will generate the following Elasticsearch query:

foobar:"Lorem ipsum dolor sit amet"

Depending on the configuration for the field “foobar” (e. g. analyzed or not analyzed), this will yield different results.

(Si Ya Ni) #3

(system) closed #4

