How to save "total hits" results from a query, in a field

Andex · February 21, 2024, 4:06pm

Hi, i 'm trying to using Logstash to send email.
I configure the input pipeline filter witha a query, i need to find all the document that contain ERROR in the message.

I do that.
in the output i want to user the total hits value that is contained in the query results, to create a condition : if "total_hits > 10" -> send me the email.

This is the pipeline :

  input {
      elasticsearch {
        hosts => ["https://***********:9200"]
              index => "tibcolog-gpf-*"
              query => '{"query": {"bool": {"filter": [{"bool": {"should": [{"match_phrase": {"logger_type": "ERROR"}}]}},{"range": {"@timestamp": {"format": "strict_date_optional_time","gte": "now-15m","lte": "now"}}}]}}}'
              ssl => true
              ssl_certificate_verification => false
              user => "logstash_writer"
              password => "**********"
              schedule => "*/15 * * * *"
        }
  }

  output {
    if [hits][total] > 10 {
        email {
        to => "********"
        address => "********"
        authentication => "plain"
        subject => "TEST ERROR"
        body => "Il Log in errore è:%{message}"
        port => "25"
        }
        }
    }

My pipeline is on Kubernetes, it is running but it crash (restarting) when the query start .

is i remove the IF condition in the ooutput, it work good.
Somone can tell me how to use the hits for my case??

Thanks

Badger · February 21, 2024, 5:40pm

Does the field exist? See this thread.

Andex · February 22, 2024, 8:20am

No, the field (total hits) does not exist. i thought too that could be the error. But how i can save the total hits to a new field?

I can use a mutate filter with add_field but how can i populate it?
i hoped that there was a way to use the number of total_hits of the query output

Badger · February 22, 2024, 8:26am

I have no idea. If the elasticsearch query does not populate that field that I cannot say how you could create it from the event that the elasticsearch input creates.

system · March 21, 2024, 8:26am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.