I'm trying to setup an Elastic Watcher Alert that will scan a logfile and match 2 different messages in the log and then send an alert.
Sample Log
[2023-02-13 09:00:10.749 -05:00 INF] This is test 1
[2023-02-13 09:10:10.789 -05:00 INF] This is test 2
[2023-02-15 09:00:10.750 -05:00 INF] This is test 3
[2023-02-15 09:10:10.751 -05:00 INF] This is test 4
[2023-02-22 04:05:11.752 -05:00 INF] This is test 5
[2023-02-22 04:10:11.753 -05:00 INF] This is test 6
I want to search for "This is test 2" AND "This is test 4"
and then send an alert
Anyone have a watcher alert similar to this for reference?
How about this, for that data in an index named testing and the timestamp parsed out into a field called @timestamp and the message parsed into a field called event:
POST _watcher/watch/_execute
{
"watch": {
"trigger": {
"schedule": {
"interval": "1h"
}
},
"input": {
"search": {
"request": {
"indices": [
"testing"
],
"body": {
"query": {
"bool": {
"should": [
{
"match_phrase": {
"event": "This is test 4"
}
},
{
"match_phrase": {
"event": "This is test 1"
}
}
],
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-1h"
}
}
}
]
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 2
}
}
},
"actions": {
"log": {
"logging": {
"text": """
Alert - matched for both conditions
"""
}
}
}
}
}
Thanks, what would be the JSON format for testing it via the Console with a GET testing/_search?
That's an API call to Watcher's _execute endpoint, used for testing (the Watch isn't "saved"). Once you get it the way you want, you can then PUT the watch to save it.