I have an Elasticsearch query which emails out on an specific Windows Event Log event id.
This is a basic query...
{
"query":{
"query_string" : {
"query" : "10028",
"fields": ["event.code"]
}
}
}
What I would like to do is
- Group alerts on host.name. So a separate alert for each host meeting this criteria.
- Include the hostname in the emails.
Is an Elasticsearch query the best way to configure this?
Any ideas?