For the context, I have an API request that returns a few devices and the apps installed in them. here is an example of what the result looks like in the elasticsearch:
"hits": [
{
"_index": "devices_xxxx",
"_id": "sjgaopnwcsg4dgjsc",
"_score": 5.37709,
"_source": {
"apps": [
{
"version": "1.2.180",
"name": "app.name.one",
"identifier": "identifier.one",
"tags": null,
"buildNumber": "999",
"icon": null
},
{
"version": "2.20.50",
"name": "app.name.two",
"identifier": "identifier.two",
"tags": null,
"buildNumber": "888",
"icon": null
},
{
"version": "3.2.3",
"name": "app.name.three",
"identifier": "identifier.three",
"tags": null,
"buildNumber": "786",
"icon": null
}
],
"@version": "1",
"tags": [
"xxxx"
],
"@timestamp": "2023-06-15T13:07:20.533311369Z",
"device": {
"id": "dgobnosdk",
"organization": "xxxx"
}
}
}
This one has three apps but some has 14, 10 even 60+.
What I want to do is, for each device, whenever a new app is added, I am aware of it. The last step will be to notify but I am going one piece at a time. For now I want to get a rule just so I can say that for example:
"The application app.name.four of identifier identifier.four has been installed in the device dgobnosdk"
I am open for different ways to approach this, be a Logstash config or a Watcher structure, any help is appreciated.