Capture-now-and-now-15min & Array_compare condition

Muhammad_Irfan · November 14, 2019, 10:13am

Dear All,

Greetings! I have been working on Watcher and successfully received email notification but want to make changes as per my assignment. So need your assistance and help

Task :
ELK work as a anti-spam filter and my task is watcher trigger email if sender is not from "for e.g Germany" country and domain should not be ".com"

Additional Task :

1- Capture-now-and-now-15min in watcher email body
2-Array_compare condition met but shows values which is not required.

Please find JSON code..

{
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"file-name-"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"from": "now-5m",
"to": "now"
}
}
},
{
"wildcard": {
"sender": {
"value": ".com"
}
}
},
{
"exists": {
"field": "sender.keyword"
}
}
],
"must_not": [
{
"match_phrase": {
"geoip.country_name": {
"query": "Germany"
}
}
},
{
"match_phrase": {
"sender": "reply "
}
},
{
"match_phrase": {
"sender": "bounce"
}
},
{
"match_phrase": {
"sender": "bounces"
}
},
{
"match_phrase": {
"sender": "srs0"
}
},
{
"match_phrase": {
"sender": "prvs="
}
},
{
"match_phrase": {
"is_spam.keyword": {
"query": "1"
}
}
}
]
}
},
"aggs": {
"sender_email": {
"terms": {
"field": "sender.keyword",
"size": 5,
"order": {
"_count": "desc"
}
}
}
}
}
}
}
},
"condition": {
"array_compare": {
"ctx.payload.aggregations.sender_email.buckets": {
"path": "doc_count",
"gt": {
"value": 50,
"quantifier": "some"
}
}
}
},
"actions": {
"email_admin": {
"email": {
"profile": "standard",
"to": [
"myemal@.com"
],
"subject": "spam email notification",
"body": {
"html": "
{{#ctx.payload.aggregations.sender_email.buckets}}
Sender Count
{{key}} {{doc_count}}{{/ctx.payload.aggregations.sender_email.buckets}}
"
}
}
}
}
}

WATCHER OUTPUT

As per my array condition, emails counts should be greater then 50, but with 50+ counts i m also getting count less than 50 so please assist
gt": {
"value": 50,
"quantifier": "some"

Secondly, i want to add time range ["from": "now-5m", "to": "now"] in my watcher body so my output will be like this

Dear Team,

We are receiving spam email from below users with time range : Thu 14/11/2019 2:08 PM to Thu 14/11/2019 2:13 PM

so I need your urgent help to complete this task

Regards,
Irfan

Muhammad_Irfan · November 16, 2019, 10:01am

Dears,

I m still waiting for your valuable comments

Regards,
IQ

system · December 14, 2019, 10:01am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.