Hi,
I have created an index using command
http://localhost:9200/event
PUT
{
"settings" : {
"number_of_shards" : 1
},
"mappings" :{
"event": {
"properties": {
"eventId": {
"type": "integer"
},
"eventName": {
"type": "string"
},
"eventDescription": {
"type": "string"
},
"eventCategory": {
"type": "string"
},
"eventType": {
"type": "string"
}
}
}
}}
After that i created a watcher :-
PUT http://localhost:9200/_watcher/watch/event_critical_watch
{
"trigger": {
"schedule": {
"interval": "60s"
}
},
"input": {
"search": {
"request": {
"indices": [
"event"
],
"body": {
"query": {
"match": {
"eventCategory": "CRITICAL"
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"actions": {
"email_admin": {
"email": {
"to": "'xyz@gmail.com'",
"subject": "{{ctx.watch_id}} executed",
"body": "{{ctx.watch_id}} executed with {{ctx.payload.hits.total}} hits"
}
}
}
}
After that in elastisearc.yml i have made necessary changes :--
watcher.actions.email.service.account:
gmail:
profile: gmail
smtp:
auth: true
starttls.enable: true
host: smtp.gmail.com
port: 587
user: your-email@gmail.com
password: your-password
after that when i create a simple event on event index with action as 'CRITICAL'
Here is a sample event.
?
PUT http://localhost:9200/event/event/1
{
"eventId" : 1,
"eventName" : "3 failed login attempts",
"eventDescription" : "System has detected 3 failed login attempts",
"eventCategory" : "CRITICAL",
"eventType" : "LOG"
}
It send me a mail on my mail id ..but the issue is i am getting same mail for the same record for every 60sec ..Can't we stop sending mail for the record which we had sent earlier..this is really annoying.Please help me .