Elastalert simplified multiple rules in one file

I would suggest you to think before doing this.

To achieve the expected result:

1. Have rule_type as change instead frequency

2. Keep the same timeframe.

3. Monitor on status as you want to check whether it is down

4. Set filter on monitor field.

5. Set alert as POST

6. You can have your own backend API to which you can redirect - You can send the entire document which got changed - Through which you can identify which domain is down. Backend API can write to an index which domain is down. Key name is domain_name. You can keep a counter kind of thing to increase. I am not sure whether we can directly post too ES. But documentation says any end point which accepts JSON.

7. Now you have your frequencyrule set on the new index. Have your filters as OR - domain1_down : 5 OR domain2_down:5. You can have your same email alerting. But you need to derive which domain from the key or you can have one more field in the index to be used by alerting.

Here the trickiest point is that your config says you want to find 5 downtimes of a domain in 2 minutes of timeframe

By using the aforementioned steps, you can find whether it went down 5 times. But not within 2 minutes time frame. I guess that you can achieve that by keeping a field previous_down_time in the extra index.

It's harder way to achieve what is needed. I don't think there is no other better way than maintaining separate files. That is not harder than this.