Alerting in elastic by filtering a field in it

Karthik2411 · August 7, 2019, 4:35pm

I have a log with a number of fields. i am trying to alert whenever i see a text and the script is something like this :

{
"trigger": {
"schedule": {
"interval": "5m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"crs-*"
],
"types": ,
"body": {
"size": 0,
"query": {
"bool": {
"must": [
{
"query_string": {
"query": ""LBH HEALTH WE SHOULD FAIL OVER""
}
},
{
"range": {
"@timestamp": {
"format": "epoch_millis",
"gte": "now-5m/m",
"lte": "now/m"
}
}
}
]
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 1
}
}
},
"actions": {
"heartbeat": {
"email": {
"profile": "standard",
"to": [
"dhdesai@cisco.com",
"sj-pda-warriors@cisco.com"
],
"subject": "Watcher Notification",
"body": {
"text": "We found these logs : LBH HEALTH WE SHOULD FAIL OVER—BTS_DFW"
}
}
}
}
}

there is a field called "host" in it whose data type is a text. Is there a way to add the details of the host whenever I see that log and to add to that can i get the details of the host in the alert ??

In other way I want to alert this following detail

spinscale · August 9, 2019, 6:14am

Hey,

you access the search hits and their fields via {{ctx.payload.hits.hits.0._source.host}} - this would return the host field of the first hit. You may want to use an terms aggregation in your search though to get all the hosts returned by a search instead of only the first 10 hits.

--Alex

Karthik2411 · August 14, 2019, 5:57pm

Hello @spinscale

PS: I am using Kibana 6.5

below is the script that I have written for reporting if there are more than three failures in last 5 min

{
"trigger": {
"schedule": {
"interval": "5m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"crs-*"
],
"types": ,
"body": {
"size": 15,
"_source": [
"host"
],
"query": {
"bool": {
"must": [
{
"query_string": {
"query": ""LBH HEALTH WE SHOULD FAIL OVER""
}
},
{
"range": {
"@timestamp": {
"format": "epoch_millis",
"gte": "now-5m/m",
"lte": "now/m"
}
}
}
]
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 1
}
}
},
"actions": {
"heartbeat": {
"email": {
"profile": "standard",
"to": [
"dhdesai@cisco.com",
"sj-pda-warriors@cisco.com"
],
"subject": "Watcher Notification",
"body": {
"text": "We found these logs : LBH HEALTH WE SHOULD FAIL OVER--PROD_SJ. \n Host:{{#ctx.payload.hits.hits}}{{_source.host}},{{/ctx.payload.hits.hits}} \n Link: https://wiki.cisco.com/display/NEWPORTAL/QBS+Alerts+and+actions+to+be+taken"
}
}
}
}
}

I want to show all the hosts that have the failures. For now I have set the number to 15. How can I list out all the hosts that had failures in the last five minutes

spinscale · August 15, 2019, 7:15am

please take the time to properly format your code snippets, JSON is already hard to read for humans, but much harder when it is not formatted.

The correct way to show all hosts would not be the hits data of a search response, as a single host could probably occur in there more than once, but a terms aggregation on the host. See https://www.elastic.co/guide/en/elasticsearch/reference/7.3/search-aggregations-bucket-terms-aggregation.html

--Alex

system · September 12, 2019, 7:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.