Hi All,
Could I use watchers to generate a list of host_names that have sent logs to ES in the past 15 minutes? I will need the output to be pushed to an API via a webhook and be output in a JSON format.
How would I achieve this
Jason
Answer if anyone is interested:
{
"trigger": {
"schedule": {
"interval": "15m"
}
},
"input": {
"search": {
"request": {
"indices": [
"test.*"
],
"types": [],
"body": {
"size": 0,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-{{ctx.metadata.window_period}}"
}
}
},
{
"exists": {
"field": "host"
}
}
]
}
},
"aggs": {
"host": {
"terms": {
"field": "host"
},
"aggs": {
"events": {
"top_hits": {
"size": 1,
"_source": [
"host"
]
}
}
}
}
}
}
}
}
},
"condition": {
"script": {
"source": """
def offenders = [];
for (def host: ctx.payload.aggregations.host.buckets) {
if (host.doc_count >= 1) {
offenders.add([
'host': host.key,
'execution_time' : ctx.trigger.triggered_time
]);
}
}
ctx.payload.offenders = offenders;
return offenders.size() > 0;
""",
"lang": "painless"
}
},
"actions": { },
"body": "{{#toJson}}ctx.payload.offenders{{/toJson}}"
}
}
},
"metadata": {
"window_period": "15m"
},
"throttle_period_in_millis": 120000
}Thanks for posting the solution!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.