ElastAlert top_count_keys and top_count_number

Here is an example of top_count_keys and top_count_number

Definition is from official documentation.

top_count_keys

top_count_keys: A list of fields. ElastAlert will perform a terms query for the top X most common values for each of the fields, where X is 5 by default, or top_count_number if it exists. For example, if num_events is 100, and top_count_keys is - "username", the alert will say how many of the 100 events have each username, for the top 5 usernames. When this is computed, the time range used is from timeframe before the most recent event to 10 minutes past the most recent event. Because ElastAlert uses an aggregation query to compute this, it will attempt to use the field name plus “.raw” to count unanalyzed terms. To turn this off, set raw_count_keys to false.

top_count_number

top_count_number: The number of terms to list if top_count_keys is set. (Optional, integer, default 5)

Here message value will be null because message is not a keyword(To avoid that map it as a keyword in Elastic Search mapping) in output alert since we are aggregating and output body is as per below.

At least 1 events occurred between 2021–02–10 10:07 UTC and 2021–02–10 10:17 UTC

message.keyword:

No events found.

Host_Id.keyword:

ip-cc-hhhhh

RuleTopCount.yaml: |-
    ---
    name: RuleTopCount
    type: frequency
    limit_execution: "0/10 * * * *"
    index: demo-*
    num_events: 1
    attach_related: true
    top_count_keys:
      - message
      - Host_Id
    top_count_number: 4
    aggregation:
      minutes: 10
    summary_table_fields:
      - Host_Id
    include:
      - message
      - Host_Id
    timeframe:
      minutes: 10   
    filter:
    - query:
        query_string:
            query: "Host_Group.keyword:hello"
    alert:
    - "email"
    email:
    - "doe@doe.com"          
    from_addr: "doettt@doe.com"
    alert_subject: "WARINING - ERROR detected  host group RE_QA at {0}"
    alert_subject_args:
    - "@timestamp"