How to set up alerts triggered by an unknown factor?

tic89 · September 23, 2019, 8:04am

Hello experts,

I would like to set up an alert that follows a logic like:

Trigger when:text:"ErrorCode: 1036", IP count > 5, now-1h, where the IP is an unknown constant.

I end up where I always need to specify the IP in advance or manually review a dashboard to get the information that I want rather than have it as an automated watcher alert.

Is it possible to modify the following watcher alert set up for a known specified IP to trigger for count >5 for an unknown IP ?

Ex.
//
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "application_name: "auth" AND level: "ERROR" AND text: "ErrorCode: 1036"",
"analyze_wildcard": true,
"default_field": "*"
}
},
{
"match_phrase": {
"remote_address": {
"query": "185.188.92.1"
}
}
},
{
"range": {
"@timestamp": {
"gte": "now-1h",
"lte": "now"
}
}
}
]
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 5
}
}
},

//
Thanks in advance for any help on this!

spinscale · September 24, 2019, 8:26am

try using an aggregation, that aggregates on the IP, so that you can see if there is a bucket, with a document count > 5... if there is one or more ip addresses with a count greater than five you will see it.

tic89 · September 24, 2019, 11:26am

Hi Alexander,

Than you for your input

If I understand you correctly and translate this into the Alert format, I get something like this:

//
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
":egencialogs-"
],
"types": ,
"body": {
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "application_name:"auth" AND level:"ERROR" AND text:"ErrorCode: 1036" AND text:"ErrorMessage"",
"analyze_wildcard": true,
"default_field": "*"
}
},
{
"range": {
"@timestamp": {
"gte": "now-1h",
"lte": "now"
}
}
}
]
}
},
"aggs": {
"ip_count": {
"terms": {
"field": "remote_address"
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.aggregations.ip_count.buckets.0.doc_count": {
"gte": 5
}
}
},

//

My simulations works without errors, but did not trigger (yet, if done correctly as intended)

I am not entirely sure if my condition: ""ctx.payload.aggregations.ip_count.buckets.0.doc_count": {
"gte": 5"

Is this how it should be written?

Tobias

spinscale · September 24, 2019, 1:18pm

you can use the Execute Watch API to configure an alternative input, that should make your condition trigger in order to check if everything is working.

system · October 22, 2019, 1:19pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.