Threshold Alert on days until expiry

Hello, fairly new to Elastic Stack and having a play with the Watcher to try and get some useful threshold alerts.

One I'm struggling on is this scenario:
We have heartbeat which is monitoring various https websites, one of the metrics pulled back is "tls.certificate_not_valid_after" e.g. tls.certificate_not_valid_after = "August 12th 2021, 09:40:34.000".

I want to create a new threshold alert (or advanced watcher?) so that if there is less than 30 days until the tls.certificate_not_valid_after date then it triggers the alert.

I can't see any way of creating an alert based on date? Or am I going about this completely the wrong way?

Hi, you will need to create an Advanced Watch for this. Documentation:
https://www.elastic.co/guide/en/elastic-stack-overview/current/watcher-getting-started.html

One way is to use a range query search input to retrieve documents where tls.certificate_not_valid_after is less than now plus 30 days. Then a compare condition can be used to check the number of documents returned > 0 and send an alert.

Hi Jen, thank you so much for pointing me in the right direction. I now have successful results returning from my search with:

{
"trigger": {
"schedule": {
"interval": "1h"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [ "heartbeat*"],
"types": ,
"body": {
"query": {
"range": {
"tls.certificate_not_valid_after": {
"lt": "now+30d"
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"actions": {
"send_email": {
"email": {
"profile": "standard",
"to": [
"xx@xx.com"
],
"subject": "Certificate Expiry Warning",
"body": {
"text": "{{ctx.payload.hits.total}} certificate warnings"
}
}
}
}
}

This obviously brings back a huge count as it counts each document that's less than 30 days until the date. How would I take this further by using a field within heartbeat indice such as "http.url" and only return a positive count for each unique "http.url"?

To summarise what I'm trying to achieve:
Use the heartbeat indice and trigger an email with details of any "http.url"'s where the tls.certificate_not_valid_after date is less than 30 days.
Thank you.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.