More Than one Aggregate in Watcher?

Elastic Stack Elasticsearch
1

How do I sub aggregate in Watcher? I want to alert when a user is added to a security enabled group, for this I query:

                         "term": {
                            "EventID": "EventID:4728 OR EventID:4732 OR EventID:4756"
                          }

I then want to break down each event ID to specific groups which come as the field 'TargetUserName' and then break each of these down to specific usernames which come as the field 'SubjectUserName' I am trying to do this with the following:

"aggs": {
            "Group": {
                  "terms": {
                    "field": "TargetUserName.keyword"
              }
            },
            "User": {
                  "terms": {
                    "field": "SubjectUserName.keyword"
                    }
            }
}

Finally I am trying to send and email alert which states the user and the group they were added to with the following JSON:

"actions": {
    "email_admin": {
      "throttle_period_in_millis": 50000,
      "email": {
        "profile": "standard",
        "to": [
          "MyNameIS@MyCompany.com"
        ],
        "subject": "Warning: User Added to Security Enabled Group",
        "body": {
          "text": "The user: {{#ctx.payload.aggregations.User.buckets}}{{key}}{{/ctx.payload.aggregations.User.buckets}} was added to the security enabled group:{{ctx.payload.aggregations.Group.hits.total}}."
        }
      }
    }
  }

Cheers,

G

2

Here is my execute API output:

   {
  "_id": "UserAddedtoGroup_1541c4c8-d4d5-45c7-8bb9-852336e0fc2c-2018-01-17T15:02:41.504Z",
  "watch_record": {
    "watch_id": "UserAddedtoGroup",
    "node": "uy-aQe2PT12NAjCj-B7QKQ",
    "state": "failed",
    "status": {
      "state": {
        "active": true,
        "timestamp": "2018-01-17T15:02:33.402Z"
      },
      "actions": {
        "email_admin": {
          "ack": {
            "timestamp": "2018-01-17T15:02:33.402Z",
            "state": "awaits_successful_execution"
          }
        }
      },
      "execution_state": "failed",
      "version": 26
    },
    "trigger_event": {
      "type": "manual",
      "triggered_time": "2018-01-17T15:02:41.504Z",
      "manual": {
        "schedule": {
          "scheduled_time": "2018-01-17T15:02:41.504Z"
        }
      }
    },
    "input": {
      "search": {
        "request": {
          "search_type": "query_then_fetch",
          "indices": [
            "*"
          ],
          "types": [],
          "body": {
            "size": 0,
            "query": {
              "bool": {
                "filter": [
                  {
                    "range": {
                      "@timestamp": {
                        "gte": "now-1m",
                        "lte": "now"
                      }
                    }
                  },
                  {
                    "term": {
                      "EventID": "EventID:4728 OR EventID:4732 OR EventID:4756"
                    }
                  }
                ]
              }
            },
            "aggs": {
              "Group": {
                "terms": {
                  "field": "TargetUserName.keyword"
                }
              },
              "User": {
                "terms": {
                  "field": "SubjectUserName.keyword"
                }
              }
            }
          }
        }
      }
    },
    "condition": {
      "compare": {
        "ctx.payload.aggregations.User.buckets.0.doc_count": {
          "gte": 1
        }
      }
    },
    "metadata": {
      "name": "User Added to Security Enabled Group",
      "xpack": {
        "type": "json"
      }
    },
    "result": {
      "execution_time": "2018-01-17T15:02:41.504Z",
      "execution_duration": 54,
      "input": {
        "type": "search",
        "status": "success",
        "payload": {
          "_shards": {
            "total": 128,
            "failures": [
              {
                "node": "uy-aQe2PT12NAjCj-B7QKQ",
                "reason": {
                  "reason": """
failed to create query: {
  "bool" : {
    "filter" : [
      {
        "range" : {
          "@timestamp" : {
            "from" : "now-1m",
            "to" : "now",
            "include_lower" : true,
            "include_upper" : true,
            "boost" : 1.0
          }
        }
      },
      {
        "term" : {
          "EventID" : {
            "value" : "EventID:4728 OR EventID:4732 OR EventID:4756",
            "boost" : 1.0
          }
        }
      }
    ],
    "adjust_pure_negative" : true,
    "boost" : 1.0
  }
}
""",
                  "index_uuid": "2krqg0S4RYGgKIhxdWOXfA",
                  "caused_by": {
                    "reason": """For input string: "EventID:4728 OR EventID:4732 OR EventID:4756"""",
                    "type": "number_format_exception"
                  },
                  "index": "{[@metadata][beat]}-2018.01.17",
                  "type": "query_shard_exception"
                },
                "index": "{[@metadata][beat]}-2018.01.17",
                "shard": 0
              }
            ],
            "failed": 5,
            "successful": 123,
            "skipped": 0
          },
          "hits": {
            "hits": [],
            "total": 0,
            "max_score": 0
          },
          "took": 53,
          "timed_out": false,
          "aggregations": {
            "Group": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "User": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            }
          }
        },
        "search": {
          "request": {
            "search_type": "query_then_fetch",
            "indices": [
              "*"
            ],
            "types": [],
            "body": {
              "size": 0,
              "query": {
                "bool": {
                  "filter": [
                    {
                      "range": {
                        "@timestamp": {
                          "gte": "now-1m",
                          "lte": "now"
                        }
                      }
                    },
                    {
                      "term": {
                        "EventID": "EventID:4728 OR EventID:4732 OR EventID:4756"
                      }
                    }
                  ]
                }
              },
              "aggs": {
                "Group": {
                  "terms": {
                    "field": "TargetUserName.keyword"
                  }
                },
                "User": {
                  "terms": {
                    "field": "SubjectUserName.keyword"
                  }
                }
              }
            }
          }
        }
      },
      "actions": []
    },
    "exception": {
      "type": "index_out_of_bounds_exception",
      "reason": "Index: 0, Size: 0"
    }
  }
}
1 Like
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.