Hi,
I'm working on watcher and in the input section I'm writing the below query -
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"filebeat*"
],
"types": ,
"body": {
"query": {
"bool": {
"must_not": [
{
"query_string": {
"default_field": "ipaddress",
"query": "10.6.0.10 OR 10.6.0.12 OR 10.6.0.15 OR 10.6.0.3 OR 10.6.10.10 OR localhost"
}
}
],
"filter": {
"range": {
"@timestamp": {
"gte": "now-1d"
}
}
}
}
}
}
}
}
},
In here I want an alert to be triggered when a new value instead of these values (10.6.0.10 OR 10.6.0.12 OR 10.6.0.15 OR 10.6.0.3 OR 10.6.10.10 OR localhost) is recorded in ipaddress field.
But it is not working accordingly!! Watcher is getting triggered when the given IPs(10.6.0.10 OR 10.6.0.12 OR 10.6.0.15 OR 10.6.0.3 OR 10.6.10.10 OR localhost) are recorded in ipaddress field, which is not expected.
Can you please help?
My complete watcher -
{
"trigger": {
"schedule": {
"interval": "1d"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"filebeat*"
],
"types": ,
"body": {
"query": {
"bool": {
"must_not": [
{
"query_string": {
"default_field": "ipaddress",
"query": "10.6.0.10 OR 10.6.0.12 OR 10.6.0.15 OR 10.6.0.3 OR 10.6.10.10 OR localhost"
}
}
],
"filter": {
"range": {
"@timestamp": {
"gte": "now-1d"
}
}
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"actions": {
"log": {
"logging": {
"level": "info",
"text": "WARNING"
}
},
"send_email": {
"email": {
"profile": "standard",
"priority": "high",
"to": [
"karan@ler.com"
],
"subject": "Database received",
"body": {
"text": "WARNING"
}
}
}
}
}