I am having some troubles with the alerting functions in Watcher, below is part of my JSON query which allows you to understand what I'm trying to do and which fields I am using.
"aggs": {
"2": {
"significant_terms": {
"field": "TargetUserName.keyword",
"size": 10
"key": "UserTest",
"doc_count": 5,
"score": 5131.956340020576,
"bg_count": 27
I am trying to set up alerting that will trigger each time a user fails to logon 3 times in 3 minutes. I have set up the query and cal pull the data in. I can also send email alerts however I need help with adding fields to the body.
Below you can see my condition, I would like the condition to be met when a user fails to logon 3 times in 3 minutes. The JSON below currently doesn't work can anyone give me any pointers?
"condition": {
"compare": {
"ctx.payload.aggregation.significant.total": {
"gte": 3
MY second question is how do I include field values in the email alert? I would like to show the username and the amount of times the user failed to logon, how do I do this? Below is my attempt.
"subject": "Multiple Failed Logons Detected",
"body": {
"text": "{{TargetUserName.keyword}} has failed to logon multiple times"
Cheers,
G