Reference Set

gunlomboy · November 8, 2022, 1:43am

Hi,

We are using elasticsearch for alerting. Hosts are created and destroyed all the time for development purposes, but we have a core of devices which are tightly controlled. This list of devices is 100+ and are spread across various environments. We would like to alert when a specific event happens on one of these devices.

Does elasticsearch have anything similar to reference sets?

We need to be able to maintain a list of devices (the reference set), then use that in our alerting rule. Eg, if X happens on a device and the hostname is in this reference set

Many thanks.

warkolm · November 9, 2022, 1:17am

The closest I can think of is Watcher chain input | Elasticsearch Guide [8.5] | Elastic, where you could load the data from the reference index and then iterate over that for your alerts.

Maybe someone else can suggest something else though

gunlomboy · November 9, 2022, 1:31am

Thanks @warkolm

Not exactly what I'm looking for, but I could probably do something with it.

warkolm · November 9, 2022, 2:57am

Yeah I get your point

Another option might be to do this;

store your critical hosts in a new index
enrich your event using an ingest pipeline
tag these critical hosts with something
then use that for alerting

Topic		Replies	Views
Is there anything similar to a Reference Set in Elasticsearch Elasticsearch	1	444	May 23, 2020
How to create watcher email alert on a specific machine in lan? Elasticsearch elastic-stack-alerting	4	582	October 29, 2018
Writing watcher alerts back to elastic Elasticsearch	2	580	October 18, 2017
Interesting Use Case - Down Stream Alerting Elastic Observability elastic-stack-alerting	1	382	November 4, 2022
Alerting Elasticsearch elastic-stack-alerting	3	764	March 8, 2018

Reference Set

Related topics