This is a metricbeat query question. I've got metricbeat loaded on a bunch of Windows hosts and am collecting metrics nicely. I've got the stock Windows Service dashboard working as well. We want to use the collected information to assert that a list of specific services is running on certain Windows hosts.
I know how to pass in a time window (interval) to the query, and even limit my results to a specific host or hosts matching a pattern. I also know how to get back of of the services that are currently running. However, the list of services running is long and I'm not interested in most of them. I'm looking for a way to alter the query to pass in a list of services as a filter and see if they're running or not.
Here's my current query:
GET metricbeat-*/_search
{
"query": {
"bool": {
"must": [
{"wildcard": {"host.name": "KNEHRD*WP*" }},
{"range": {
"@timestamp":{"gt": "now-1m"}
}}
]
}
},
"size": 0,
"aggs": {
"all_running_services": {
"filter": {
"bool": {
"must": [
{
"term": {
"windows.service.state": "Running"
}
}
]
}
},
"aggs": {
"running_service_names": {
"terms": {
"field": "windows.service.name"
}
}
}
}
}
}
Any pointers on how I'd alter this query to feed it a specific list of services I'm interested in checking? As for a return value from the query, I feel like a simple boolean would suffice. That is, all of the services in the list are running (true) or any of the services in the list is currently not running (false).
Thanks in advance for any insights.
Ben