Hi All,
I migrating watchers to Rules, I do have a watcher that compares previous value from last entry and alerts if not same. This works perfectly in watcher as we wrote aggs and painless script but as we are migrating to Rules now I realized I have less scope. Can anyone help me if this is possible with Query DSL?
Issue 1
-
If the field e.g. field1 exists and Log.file.path like “xxxx” order by timestamp desc with Limit 2
-
Field1 is null or not matching with pervious field value than throw alert. They are other logs which doesn’t contain field1 so it’s mandate to search for exists.
Issue 2
Also for the other rule, I am struggling to add multi condition for a rule why can’t I add multiple conditions in a rules?
Like if count <=0 or count >=2 alert.
Watcher that works:
{
"trigger": {
"schedule": {
"daily": {
"at": [
"06:00"
]
}
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"test*"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"bool": {
"must": [
{
"exists": {
"field": "sha256"
}
},
{
"match": {
"log.file.path": "*0.0.0.0*"
}
}
],
"filter": {
"range": {
"@timestamp": {
"from": "now-2d",
"to": "now"
}
}
}
}
},
"aggs": {
"sha256codes": {
"terms": {
"field": "sha256.keyword"
}
}
}
}
}
}
},
"condition": {
"script": {
"source": "return ctx.payload.aggregations.sha256codes.buckets.length > 1 || ctx.payload.aggregations.sha256codes.buckets.length < 1",
"lang": "painless"
}
},
"actions": {
"notify-slack": {
"throttle_period_in_millis": 30000,
"slack": {
"account": "test",
"message": {
"text": "Test Alert",
"dynamic_attachments": {
"list_path": "ctx.payload.hits.hits",
"attachment_template": {
"color": "danger",
"title": "This is a test alert",
"text": "File path for ref {{_source.log.file.path}} on server {{_source.agent.name}}"
}
}
}
}
}
}
}
