Hi all, I am trying to achieve the following with my Kibana watcher.
1> I have added logs in my code with the text "Security Alert" where there is an appropriate security violation. So, in my code, in certain sections, I have done the following:
logger.log("Security Alert: More info about it");
2> My end goal is to be able to capture and send alerts where there are say 10 of these Security Alerts in the log in a span of 30 minutes.
I have written a watcher json below. I can see the text getRecentOrders in the Kibana search window but it's not logging through the watcher. Any idea what I am doing wrong? Also, how can I capture the 10 times within the 30 minutes criteria?
{
"trigger": {
"schedule": {
"interval": "30m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"*"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"bool": {
"must": [
{
"query_string": {
"match": "getRecentOrders"
}
},
{
"range": {
"@timestamp": {
"gte": "now-30m"
}
}
}
]
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 10
}
}
},
"actions": {
"my-logging-action": {
"logging": {
"level": "info",
"text": "There are {{ctx.payload.hits.total}} documents in your index. Threshold is 10."
}
}
}
}
Any help would be appreciated.
