Hi all
In the below example, I have added terms to pull out the referer in the aggregation so I can use it in my watcher action. I can pull each referer individually with the following 'referer': e.per_15m.buckets[0].referer_names.buckets.0.key within the actions of the watcher. But how do I pull ALL referers without having to repeat the above i.e. 'referer1': e.per_15m.buckets[0].referer_names.buckets.0.key, 'referer2': e.per_15m.buckets[0].referer_names.buckets.1.key???
I saw the attached link and have tried that but it doesn't seem to be working for me. Any ideas would be greatly appreciated.
{
"trigger": {
"schedule": {
"hourly": {
"minute": [
0
]
}
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"kibana_sample_data_logs"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"bool": {
"filter": [
{
"match_phrase": {
"event.dataset": "sample_web_logs"
}
},
{
"range": {
"@timestamp": {
"gte": "2021-09-12T05:00:00.000Z",
"lte": "2021-09-12T09:00:00.000Z",
"format": "strict_date_optional_time||epoch_millis"
}
}
}
],
"should": [],
"must_not": []
}
},
"aggs": {
"geo_dest": {
"terms": {
"field": "geo.dest",
"size": 100
},
"aggs": {
"per_15m": {
"date_histogram": {
"field": "@timestamp",
"fixed_interval": "15m"
},
"aggs": {
"referer_count": {
"cardinality": {
"field": "referer"
}
},
"card": {
"cumulative_cardinality": {
"buckets_path": "referer_count"
}
},
"referer_count_bucket_filter": {
"bucket_selector": {
"buckets_path": {
"Referers": "referer_count",
"Cards": "card"
},
"script": "params.Referers > 1"
}
},
"referer_names": {
"terms": {
"field": "referer",
"size": 100
}
}
}
},
"bucket_existing_bucket_filter": {
"bucket_selector": {
"buckets_path": {
"count": "per_15m._bucket_count"
},
"script": "params.count>0"
}
}
}
}
}
}
}
}
},
"condition": {
"script": {
"source": "return ctx.payload.aggregations.geo_dest.buckets.stream().count() > 0",
"lang": "painless"
}
},
"actions": {
"index_payload": {
"transform": {
"script": {
"source": """
// Define metadata to bring into alert
def triggered_time = ctx.trigger.triggered_time;
def severity = ctx.metadata.severity;
def drilldown = ctx.metadata.drilldown;
def alert_name = ctx.metadata.name;
// Document Structure To Output
return ['_doc':ctx.payload.aggregations.geo_dest.buckets.stream().map(e -> { return['@timestamp':triggered_time,'UUID': java.util.UUID.randomUUID().toString(), 'geo.dest':e.key,'alert.name':alert_name,'alert.severity':severity,'referer': e.per_15m.buckets[0].referer_names.buckets.0.key,'alert.drilldown': drilldown]}).collect(Collectors.toList())];
""",
"lang": "painless"
}
},
"index": {
"index": "alerts"
}
}
},
"metadata": {
"severity": "S1",
"drilldown": "add later"
}
}
type or paste code here
type or paste code here