Reference Set

gunlomboy · November 8, 2022, 1:43am

Hi,

We are using elasticsearch for alerting. Hosts are created and destroyed all the time for development purposes, but we have a core of devices which are tightly controlled. This list of devices is 100+ and are spread across various environments. We would like to alert when a specific event happens on one of these devices.

Does elasticsearch have anything similar to reference sets?

We need to be able to maintain a list of devices (the reference set), then use that in our alerting rule. Eg, if X happens on a device and the hostname is in this reference set

Many thanks.

warkolm · November 9, 2022, 1:17am

The closest I can think of is Watcher chain input | Elasticsearch Guide [8.5] | Elastic, where you could load the data from the reference index and then iterate over that for your alerts.

Maybe someone else can suggest something else though

gunlomboy · November 9, 2022, 1:31am

Thanks @warkolm

Not exactly what I'm looking for, but I could probably do something with it.

warkolm · November 9, 2022, 2:57am

Yeah I get your point

Another option might be to do this;

store your critical hosts in a new index
enrich your event using an ingest pipeline
tag these critical hosts with something
then use that for alerting

system · December 7, 2022, 2:57am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.