hi friends,
Currently we were alerting via email as part of watcher which makes false positives to a greater degree. So I was thinking to index all the watcher outcomes into an index and control from there. I saw bit of "painless" script on determining what needs to be put into index etc. But the challenge for me is to "Index" all fields coming out of a requirement
For example my watcher logic is to aggregated count of alerts per OS, per host, per region, I want all those 4 fields to be index. In similar way another watcher will have other set of outcomes which also needs to be put into the same index. How to ensure ALL the outcomes are caputred in the "painless" transform script while indexing ?
So ideally looking for:
"transform": {
"script": "return [ '_doc' : ctx.payload.all_fields_used_in_above_search ]"
},