I need help in the structure of my watcher, I'm trying to create an alert where a notification is sent by email, but the notifications are going in message form (in the same initial email) and when it reaches 100, it's created another email. already tried using Foreach but without success.
Below is the structure of my watcher, if anyone can help me I will be eternally grateful!
{
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"syslog"
],
"rest_total_hits_as_int": true,
"body": {
"query": {
"bool": {
"must": [
{
"match": {
"action": "Prevent"
}
},
{
"match": {
"severity": "Critical"
}
},
{
"exists": {
"field": "attack"
}
},
{
"range": {
"@timestamp": {
"gte": "now-10s"
}
}
}
]
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 0
}
}
},
"actions": {
"send_email": {
"foreach": "ctx.payload.hits.hits",
"max_iterations": 1,
"email": {
"profile": "standard",
"to": [
"mail@mail.com"
],
"subject": "watcher test",
"body": {
"html": """<table style=" width: 100%; text-align: center;"> <tr >
<tr><td colspan="2" style="width: 100%; text-align: left; padding: 10px; font-family: 'Work Sans', sans-serif; color: rgba(118,113,113,1); background-color: rgba(242, 242, 242, 1); font-size: 14px;" ><br><br><b>THIS IS A TEST,</b> <br><br>THIS IS A TEST.</td></tr>
"""
}
}
}
}
}