Dears,
Greetings, I am new in ELK cluster and try to create watcher on my laptop, email configuration set on elastisearch.yml file but don't get emails.
Secondly, I am bit confused in transform in watcher.
Do i need to apply transformer in this watcher, if yes then how can i apply on which fields ?
Task : ELK work as a anti-spam filter and my task is watcher trigger email if sender is not from "for e.g Germany" country and domain should not be ".com"
please find below my watcher..
code block
{
"trigger": {
"schedule": {
"interval": "3m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"filebeat-cloudmark-"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"bool": {
"must_not": [
{
"match": {
"geoip.country_name": "Germany"
}
},
{
"wildcard": {
"sender": {
"value": ".com"
}
}
},
{
"range": {
"@timestamp": {
"gte": "now-10m",
"lte": "now",
"format": "strict_date_optional_time||epoch_millis"
}
}
}
]
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.aggregations.spam_sender.buckets.0.doc_count": {
"gte": 4
}
}
},
"actions": {
"email_admin": {
"email": {
"profile": "standard",
"to": [
abc@xyz.com"
],
"subject": "email notification",
"body": {
"text": "{{ctx.payload.aggregations.spam_sender.buckets.0.doc_count}} email"
}
}
}
}
}
Watcher output :
... #code block
{
"watch_id": "inlined",
"node": "9jgRfxrkQeOLrDanG-wLvg",
"state": "execution_not_needed",
"user": "muhammadqureshi",
"status": {
"state": {
"active": true,
"timestamp": "2019-10-26T09:54:22.302Z"
},
"last_checked": "2019-10-26T09:54:22.302Z",
"actions": {
"email_admin": {
"ack": {
"timestamp": "2019-10-26T09:54:22.302Z",
"state": "awaits_successful_execution"
}
}
},
"execution_state": "execution_not_needed",
"version": -1
},
"trigger_event": {
"type": "manual",
"triggered_time": "2019-10-26T09:54:22.302Z",
"manual": {
"schedule": {
"scheduled_time": "2019-10-26T09:54:22.302Z"
}
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"filebeat-cloudmark-"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"bool": {
"must_not": [
{
"match": {
"geoip.country_name": "United Arab Emirates"
}
},
{
"wildcard": {
"sender": {
"value": ".ae"
}
}
},
{
"range": {
"@timestamp": {
"gte": "now-10m",
"lte": "now",
"format": "strict_date_optional_time||epoch_millis"
}
}
}
]
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.aggregations.spam_sender.buckets.0.doc_count": {
"gte": 4
}
}
},
"metadata": {
"xpack": {
"type": "json"
}
},
"result": {
"execution_time": "2019-10-26T09:54:22.302Z",
"execution_duration": 6,
"input": {
"type": "search",
"status": "success",
"payload": {
"_shards": {
"total": 31,
"failed": 0,
"successful": 31,
"skipped": 0
},
"hits": {
"hits": ,
"total": 10000,
"max_score": null
},
"took": 6,
"timed_out": false
},
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"filebeat-cloudmark-"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"bool": {
"must_not": [
{
"match": {
"geoip.country_name": "United Arab Emirates"
}
},
{
"wildcard": {
"sender": {
"value": ".ae"
}
}
},
{
"range": {
"@timestamp": {
"gte": "now-10m",
"lte": "now",
"format": "strict_date_optional_time||epoch_millis"
}
}
}
]
}
}
}
}
}
},
"condition": {
"type": "compare",
"status": "success",
"met": false,
"compare": {
"resolved_values": {
"ctx.payload.aggregations.spam_sender.buckets.0.doc_count": null
}
}
},
"actions":
},
"messages":
}