im new to Grafana and i have some trouble with an allerting condition.
We are logging Syslogs from Cisco Switches to Elasticsearch for security and problem solving purpose.
What i wanted to do is getting a notification when 3 logins failed within 2 minutes. so i created the following alert rule.
From my understanding the alert should only fire if 3 or more logins failed within 2 minutes, but the allert is fired for every failed login even there was no failed login within the last few hours.
The rule itself works. but its way to sensitive cause it triggers for every single failed login attemp.
Thats why im trying to changeit so an alarm is only triggered when at lease 3 or more failed login attemps occure in 2 minutes so not every typo of a colleague will fire an alarm
However, we could not figure out the problem by looking into them. Although, there is one more thing we can check, the preview of the alert.
Alerting > Edit Rule > Click Preview to check the result of running the query at this moment
With this I am hoping to understand how your data looks like, and the threshold after which the alert will fire.
I wonder if the problem isn’t actually in the query (A) and/or in the expression (B), but I am not familiar with Elastic so, I can’t be of help in that area.
i think i solved the Problem. it seems the Problem was the condition B
The old Condition was WHEN COUNT() OF A IS ABOVE x
Since i changed that to WHEN SUM OF A IS ABOVE x it seems to work now.
Seems like the Alert is only fired when more than 5 failed logins are recorded
I will test this a little bit further.
Since the Timeline is now -5m to now there is now result aka “No data” for the query when no failed login was logged within the last 5 minutes. So “No data” literally is the OK state.
community forum 
