Setup Elastic Watcher Alert to match two message strings in a log

scott.godfrey · March 1, 2023, 7:50pm

I'm trying to setup an Elastic Watcher Alert that will scan a logfile and match 2 different messages in the log and then send an alert.

Sample Log
[2023-02-13 09:00:10.749 -05:00 INF] This is test 1
[2023-02-13 09:10:10.789 -05:00 INF] This is test 2
[2023-02-15 09:00:10.750 -05:00 INF] This is test 3
[2023-02-15 09:10:10.751 -05:00 INF] This is test 4
[2023-02-22 04:05:11.752 -05:00 INF] This is test 5
[2023-02-22 04:10:11.753 -05:00 INF] This is test 6

I want to search for "This is test 2" AND "This is test 4"
and then send an alert

Anyone have a watcher alert similar to this for reference?

richcollier · March 2, 2023, 3:11pm

How about this, for that data in an index named testing and the timestamp parsed out into a field called @timestamp and the message parsed into a field called event:

POST _watcher/watch/_execute
{
  "watch": {
    "trigger": {
      "schedule": {
        "interval": "1h"
      }
    },
    "input": {
      "search": {
        "request": {
          "indices": [
            "testing"
          ],
          "body": {
            "query": {
              "bool": {
                "should": [
                  {
                    "match_phrase": {
                      "event": "This is test 4"
                    }
                  },
                  {
                    "match_phrase": {
                      "event": "This is test 1"
                    }
                  }
                ],
                "filter": [
                  {
                    "range": {
                      "@timestamp": {
                        "gte": "now-1h"
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    },
    "condition": {
      "compare": {
        "ctx.payload.hits.total": {
          "gte": 2
        }
      }
    },
    "actions": {
      "log": {
        "logging": {
          "text": """
          Alert - matched for both conditions
          """
        }
      }
    }
  }
}

scott.godfrey · March 2, 2023, 5:27pm

Thanks, what would be the JSON format for testing it via the Console with a GET testing/_search?

richcollier · March 6, 2023, 1:09pm

That's an API call to Watcher's _execute endpoint, used for testing (the Watch isn't "saved"). Once you get it the way you want, you can then PUT the watch to save it.

system · April 3, 2023, 1:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.