Hello everyone,
I am by no means an expert but i am trying my best to create a Watcher alert that checks for logs against an array list and reports when there is no logs identified. I keep getting errors with this watcher alert
Thanks for any help[quote="Eloy_vasquez, post:1, topic:366688, full:true"]
Hello everyone,
I am by no means an expert but i am trying my best to create a Watcher alert that checks for logs against an array list and reports when there is no logs identified. I keep getting errors with this watcher alert
Thanks for any help
[/quote]
{
"trigger": {
"schedule": {
"interval": "5m" // Runs every 5 minutes for testing purposes
}
},
"input": {
"search": {
"request": {
"indices": [
"your-log-index-pattern-*"
],
"body": {
"size": 0,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-5m/m",
"lte": "now/m"
}
}
},
{
"terms": {
"observer.name": [
"hostname1",
"hostname2",
"hostname3",
"hostname4",
"hostname5" // Add your full list of hostnames
]
}
}
]
}
},
"aggs": {
"unique_hosts": {
"terms": {
"field": "observer.name",
"size": 100 // Ensure the size fits the number of hosts you're checking
}
}
}
}
}
}
},
"condition": {
"script": {
"source": "def expectedHosts = ['hostname1', 'hostname2', 'hostname3', 'hostname4', 'hostname5']; def observedHosts = []; for (def bucket : ctx.payload.aggregations.unique_hosts.buckets) { observedHosts.add(bucket.key); } def missingHosts = []; for (def host : expectedHosts) { if (!observedHosts.contains(host)) { missingHosts.add(host); } } ctx.vars.missingHosts = missingHosts; return missingHosts.size() > 0;"
}
},
"actions": {
"logging_action": {
"logging": {
"text": "Watcher triggered: Missing logs for the following hosts in the last 5 minutes: {{#ctx.vars.missingHosts}}{{.}}, {{/ctx.vars.missingHosts}}"
}
}
}
}