ElastAlert top_count_keys and top_count_number

Here is an example of top_count_keys and top_count_number

Definition is from official documentation.

top_count_keys: A list of fields. ElastAlert will perform a terms query for the top X most common values for each of the fields, where X is 5 by default, or top_count_number if it exists. For example, if num_events is 100, and top_count_keys is - "username", the alert will say how many of the 100 events have each username, for the top 5 usernames. When this is computed, the time range used is from timeframe before the most recent event to 10 minutes past the most recent event. Because ElastAlert uses an aggregation query to compute this, it will attempt to use the field name plus “.raw” to count unanalyzed terms. To turn this off, set raw_count_keys to false.

top_count_number: The number of terms to list if top_count_keys is set. (Optional, integer, default 5)

Here message value will be null because message is not a keyword(To avoid that map it as a keyword in Elastic Search mapping) in output alert since we are aggregating and output body is as per below.

At least 1 events occurred between 2021–02–10 10:07 UTC and 2021–02–10 10:17 UTC


No events found.



RuleTopCount.yaml: |-
name: RuleTopCount
type: frequency
limit_execution: "0/10 * * * *"
index: demo-*
num_events: 1
attach_related: true
- message
- Host_Id
top_count_number: 4
minutes: 10
- Host_Id
- message
- Host_Id
minutes: 10
- query:
query: "Host_Group.keyword:hello"
- "email"
- "doe@doe.com"
from_addr: "doettt@doe.com"
alert_subject: "WARINING - ERROR detected host group RE_QA at {0}"
- "@timestamp"



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store