Hi there,
i want to ask about alerting message. i was created an alert using elasticsearch query to find some cert that close to it's expire date and i used server log connector. the alert is running as well, but the problem is if there are two or more cert detected will expire, the alert that i made printed the log in one line like this:
and i need it to print the log in one line. so if there are 2 or more cert detected, it will print 2 lines of log. Here is my elasticsearch query in this alert:
{
"query":{
"bool": {
"filter": [
{
"script": {
"script": {
"source": "boolean lt(Supplier s, def v) {return s.get() < v} boolean gte(Supplier s, def v) {return s.get() >= v}lt(() -> { def wer = doc['tls.certificate_not_valid_after'].value.millis;\r\ndef wes = doc['@timestamp'].value.millis;\r\ndef was = wer - wes;\r\n\r\nreturn was / 1000 / 60 / 60 / 24; }, params.lt) && gte(() -> { def wer = doc['tls.certificate_not_valid_after'].value.millis;\r\ndef wes = doc['@timestamp'].value.millis;\r\ndef was = wer - wes;\r\n\r\nreturn was / 1000 / 60 / 60 / 24; }, params.gte)",
"params": {
"lt": 30,
"gte": 1,
"value": "<30 >=1"
},
"lang": "painless"
}
}
}
],
"should": [ ],
"must_not": [ ]
}
}
}
fyi, i made a field using scripted field and using that field to measure certificate expiration
back to the question: is it possible to split log message above? be in accordance with the number of cert detected
Here is my template message:
Thanks