Setup Elastic Watcher Alert to match two message strings in a log

I'm trying to setup an Elastic Watcher Alert that will scan a logfile and match 2 different messages in the log and then send an alert.

Sample Log
[2023-02-13 09:00:10.749 -05:00 INF] This is test 1
[2023-02-13 09:10:10.789 -05:00 INF] This is test 2
[2023-02-15 09:00:10.750 -05:00 INF] This is test 3
[2023-02-15 09:10:10.751 -05:00 INF] This is test 4
[2023-02-22 04:05:11.752 -05:00 INF] This is test 5
[2023-02-22 04:10:11.753 -05:00 INF] This is test 6

I want to search for "This is test 2" AND "This is test 4"
and then send an alert

Anyone have a watcher alert similar to this for reference?

How about this, for that data in an index named testing and the timestamp parsed out into a field called @timestamp and the message parsed into a field called event:

POST _watcher/watch/_execute
{
  "watch": {
    "trigger": {
      "schedule": {
        "interval": "1h"
      }
    },
    "input": {
      "search": {
        "request": {
          "indices": [
            "testing"
          ],
          "body": {
            "query": {
              "bool": {
                "should": [
                  {
                    "match_phrase": {
                      "event": "This is test 4"
                    }
                  },
                  {
                    "match_phrase": {
                      "event": "This is test 1"
                    }
                  }
                ],
                "filter": [
                  {
                    "range": {
                      "@timestamp": {
                        "gte": "now-1h"
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    },
    "condition": {
      "compare": {
        "ctx.payload.hits.total": {
          "gte": 2
        }
      }
    },
    "actions": {
      "log": {
        "logging": {
          "text": """
          Alert - matched for both conditions
          """
        }
      }
    }
  }
}

Thanks, what would be the JSON format for testing it via the Console with a GET testing/_search?

That's an API call to Watcher's _execute endpoint, used for testing (the Watch isn't "saved"). Once you get it the way you want, you can then PUT the watch to save it.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.