Search logs entered in previous 15 minutes

alerting

#1

I am new to Elasticsearch/Kibana.
I am trying to create a watcher which searches The system here is crashed in logs entered in previous 15 minutes.
I have created the following JSON as per my knowledge
{
"trigger": {
"schedule": {
"interval": "10m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"*"
],
"types": [],
"body": {
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "The system here is crashed"
}
},
{
"range": {
"msgSubmissionTime": {
"gte": "now-15m"
}
}
}
]
}
},
"_source": [
"message"
],
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
]
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 0
}
}
},
"actions": {
"send_email": {
"email": {
"profile": "standard",
"to": [
"myemailid@mydomain.com"
],
"subject": "Hello World",
"body": {
"text": "{{ctx.payload.hits.total}} error logs found containing The system here is crashed"
}
}
}
}
}
But it does not seem to work as it it is showing 0 error logs found in simulation.
I am using msgSubmissionTime to search in logs entered in previous 15 minutes.
Am I not using range correctly or any other mistake.
There may be very basic mistake as I am new to this.


(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.


(Alexander Reelsen) #3

Hey,

sorry for the late response, just found this one.

Can you include the output of the execute watch API for this one?

Also, please properly format any JSON snippet, as it makes reading way more easy. You can use markdown in here.

--Alex