Kibana Watcher Alerts

Elastic Stack Kibana
1

Hello everyone,

I am by no means an expert but i am trying my best to create a Watcher alert that checks for logs against an array list and reports when there is no logs identified. I keep getting errors with this watcher alert

Thanks for any help[quote="Eloy_vasquez, post:1, topic:366688, full:true"]
Hello everyone,

I am by no means an expert but i am trying my best to create a Watcher alert that checks for logs against an array list and reports when there is no logs identified. I keep getting errors with this watcher alert

Thanks for any help
[/quote]

{
  "trigger": {
    "schedule": {
      "interval": "5m"  // Runs every 5 minutes for testing purposes
    }
  },
  "input": {
    "search": {
      "request": {
        "indices": [
          "your-log-index-pattern-*"
        ],
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "filter": [
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-5m/m",
                      "lte": "now/m"
                    }
                  }
                },
                {
                  "terms": {
                    "observer.name": [
                      "hostname1",
                      "hostname2",
                      "hostname3",
                      "hostname4",
                      "hostname5"  // Add your full list of hostnames
                    ]
                  }
                }
              ]
            }
          },
          "aggs": {
            "unique_hosts": {
              "terms": {
                "field": "observer.name",
                "size": 100  // Ensure the size fits the number of hosts you're checking
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "script": {
      "source": "def expectedHosts = ['hostname1', 'hostname2', 'hostname3', 'hostname4', 'hostname5']; def observedHosts = []; for (def bucket : ctx.payload.aggregations.unique_hosts.buckets) { observedHosts.add(bucket.key); } def missingHosts = []; for (def host : expectedHosts) { if (!observedHosts.contains(host)) { missingHosts.add(host); } } ctx.vars.missingHosts = missingHosts; return missingHosts.size() > 0;"
    }
  },
  "actions": {
    "logging_action": {
      "logging": {
        "text": "Watcher triggered: Missing logs for the following hosts in the last 5 minutes: {{#ctx.vars.missingHosts}}{{.}}, {{/ctx.vars.missingHosts}}"
      }
    }
  }
}