HI @spinscale
is their any way of comparing one ctx.payload.hits.total to another ctx.payload.hits.total
like current value of ctx.payload.hits.total to last value of ctx.payload.hits.total for a watcher
you would need to query the corresponding watcher history index and get the last run of the watch. The history index contains a record for each watch execution that is triggered in the background. This watch execution will also contain the previous payload.
However, you could also run the same query with different range queries in a chained input and achieve the same results by then comparing the hits with each other.
--Alex
Hi Alex
thanks for your reply
below is my simple query:
{
"trigger": {
"schedule": {
"interval": "1h"
}
},
"input": {
"search": {
"request": {
"body": {
"size": 0,
"query": {
"match_phrase" : {
"message" : "Failed password for invalid user"
}
}
},
"indices": [
"*"
]
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 1
}
}
},
"actions" : {
"gmail_account": {
"email": {
"profile": "standard",
"to": [
"testemail@gmail.com"
],
"subject": "ELK Alert: Failed logging attempts Detected !",
"body": {
"text" : "WARNING: There are {{ctx.payload.hits.total}} Failed logging attempts Detected in last 1 Hour. "
}
}
},
"my-logging-action": {
"logging": {
"text" : "WARNING: There are {{ctx.payload.hits.total}} Failed logging attempts Detected in last 1 Hour. "
}
}
}
}
You just pasted some snippet - please take your time to properly format this, this is super hard to read and it is pretty simple to just use markdown to format it.
What is your actual question here?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.