Hi,
I have the following watch:
{
"trigger": {
"schedule": {
"interval": "5m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"logstash-network-*"
],
"rest_total_hits_as_int": true,
"body": {
"query": {
"bool": {
"must": [
{
"match_phrase": {
"message": "%SEC_LOGIN-SW1-4-LOGIN_FAILED"
}
}
],
"must_not": [
{
"query_string": {
"default_field": "host.keyword",
"query": "(127.0.0.1) OR (172.16.123.123) OR (192.168.1.100)"
}
},
{
"query_string": {
"default_field": "user.keyword",
"query": "kiwi"
}
}
],
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-10m"
}
}
}
]
}
},
"aggs": {
"user": {
"terms": {
"field": "user.keyword",
"size": 10
},
"aggs": {
"series": {
"date_histogram": {
"field": "@timestamp",
"fixed_interval": "1m",
"min_doc_count": 3
}
}
}
}
}
}
}
}
},
"condition" : {
"array_compare": {
"ctx.payload.aggregations.user.0.series.buckets" : {
"path": "doc_count",
"gte": {
"value": 1
}
}
}
}
}
Which produces the following output:
"aggregations" : {
"user" : {
"doc_count_error_upper_bound" : 0,
"sum_other_doc_count" : 0,
"buckets" : [
{
"key" : "testuser",
"doc_count" : 3,
"series" : {
"buckets" : [
{
"key_as_string" : "2021-01-04T07:51:00.000Z",
"key" : 1609746660000,
"doc_count" : 1
},
{
"key_as_string" : "2021-01-04T07:52:00.000Z",
"key" : 1609746720000,
"doc_count" : 2
}
]
}
}
I want to be able to create an alert if a user fails generates 3 events in 1 minute. That is i want to check if the nested aggregation "series" doc_value is 3 or higher. I've tried it with the "array_compare" condition but that does not seem to take into account any nested aggregations.
Could anyone help out?