So im trying to make a monitor on Alerts for Kibana OSS but im not sure how to search through the data/logs that i have using the extraction query. This is an example of one of the hits:
{
"_shards": {
"total": 1,
"failed": 0,
"successful": 1,
"skipped": 0
},
"hits": {
"hits": [
{
"_index": "logstash-2019.12.16",
"_type": "_doc",
"_source": {
"@timestamp": "2019-12-16T00:20:36.854Z",
"system": {
"filesystem": {
"total": 20749807616,
"device_name": "/dev/nvme0n1p1",
"mount_point": "/",
"free_files": 2360019,
"available": 14942003200,
"files": 2560000,
"used": {
"pct": 0.2793,
"bytes": 5791027200
},
"free": 14958780416,
"type": "ext4"
}
}
what would be the correct syntax to search/filter for "device name" and "pct"? what im trying to do exactly is for every device name if the value of pct is greater than 0.75 then it would alert me.
the documentation on the ELK site is just really hard to understand!
Thank you in advance for any help or guidance.