I have been working on an elastalert frequency rule. I want to show the count of 3 types of hits in a single rule in my slack alert body. Is there any way to segregate the counts for each hit or create any scripted field to show the counts of the below given query separately.
query_string:
query: "(status: 404 AND url: api1) OR (status: 404 AND url: api2) OR (status: 404 AND url: api3)"
query_key:
- url
- status
Currently num_events are calculated separately for each url field but num_matches/num_hits are shown collectively.
I want the num_hits to be mentioned separately
status: 404 AND url: api1 Count 1
status: 404 AND url: api2 Count 2
status: 404 AND url: api3 Count 3
Values for Count 1, Count 2 and Count 3 required separately which we can print in alert_text