Alerting in elastic by filtering a field in it

Elastic Stack Elasticsearch
1

I have a log with a number of fields. i am trying to alert whenever i see a text and the script is something like this :

{
"trigger": {
"schedule": {
"interval": "5m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"crs-*"
],
"types": ,
"body": {
"size": 0,
"query": {
"bool": {
"must": [
{
"query_string": {
"query": ""LBH HEALTH WE SHOULD FAIL OVER""
}
},
{
"range": {
"@timestamp": {
"format": "epoch_millis",
"gte": "now-5m/m",
"lte": "now/m"
}
}
}
]
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 1
}
}
},
"actions": {
"heartbeat": {
"email": {
"profile": "standard",
"to": [
"dhdesai@cisco.com",
"sj-pda-warriors@cisco.com"
],
"subject": "Watcher Notification",
"body": {
"text": "We found these logs : LBH HEALTH WE SHOULD FAIL OVER—BTS_DFW"
}
}
}
}
}

there is a field called "host" in it whose data type is a text. Is there a way to add the details of the host whenever I see that log and to add to that can i get the details of the host in the alert ??

In other way I want to alert this following detail

00%20AM
Screen Shot 2019-08-07 at 9.34.00 AM.png2980×1878 473 KB
38%20AM
Screen Shot 2019-08-07 at 9.42.38 AM.png2918×1672 437 KB

2

Hey,

you access the search hits and their fields via {{ctx.payload.hits.hits.0._source.host}} - this would return the host field of the first hit. You may want to use an terms aggregation in your search though to get all the hosts returned by a search instead of only the first 10 hits.

--Alex

3

Hello @spinscale

PS: I am using Kibana 6.5

below is the script that I have written for reporting if there are more than three failures in last 5 min

{
"trigger": {
"schedule": {
"interval": "5m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"crs-*"
],
"types": ,
"body": {
"size": 15,
"_source": [
"host"
],
"query": {
"bool": {
"must": [
{
"query_string": {
"query": ""LBH HEALTH WE SHOULD FAIL OVER""
}
},
{
"range": {
"@timestamp": {
"format": "epoch_millis",
"gte": "now-5m/m",
"lte": "now/m"
}
}
}
]
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 1
}
}
},
"actions": {
"heartbeat": {
"email": {
"profile": "standard",
"to": [
"dhdesai@cisco.com",
"sj-pda-warriors@cisco.com"
],
"subject": "Watcher Notification",
"body": {
"text": "We found these logs : LBH HEALTH WE SHOULD FAIL OVER--PROD_SJ. \n Host:{{#ctx.payload.hits.hits}}{{_source.host}},{{/ctx.payload.hits.hits}} \n Link: https://wiki.cisco.com/display/NEWPORTAL/QBS+Alerts+and+actions+to+be+taken"
}
}
}
}
}

I want to show all the hosts that have the failures. For now I have set the number to 15. How can I list out all the hosts that had failures in the last five minutes

4

please take the time to properly format your code snippets, JSON is already hard to read for humans, but much harder when it is not formatted.

The correct way to show all hosts would not be the hits data of a search response, as a single host could probably occur in there more than once, but a terms aggregation on the host. See https://www.elastic.co/guide/en/elasticsearch/reference/7.3/search-aggregations-bucket-terms-aggregation.html

--Alex

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.