I am creating a script in watch to get an alert if my warning count increases more than five. in the image you can see that i get the count alert of all the data in the field (event _type) has been exceeded more than 5 and i get the alert through slack. Here my requirement is out of Info , finest and warning data, i want only the warning data to be triggered and displayed in the alert. is there anychanges to be made in the script?
you need to add your query a condition to match warning only.
Something like this
"query": {
"term": {
"status.keyword": {
"value": "warning"
}
}
}
Reference - https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-term-query.html
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.